Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OgcktrbHkI.exe

Overview

General Information

Sample name:OgcktrbHkI.exe
renamed because original name is a hash value
Original sample name:35f519000ad078d242c0bce097c59b31.exe
Analysis ID:1436353
MD5:35f519000ad078d242c0bce097c59b31
SHA1:41a3c859c36a4240a51e6ce17ab269e8d2728eb0
SHA256:1dc79692db8709e88fee042c5555f8432dc4638442887d8150b8b7c67f5f3eb2
Tags:32exetrojan
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • OgcktrbHkI.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\OgcktrbHkI.exe" MD5: 35F519000AD078D242C0BCE097C59B31)
    • cmd.exe (PID: 6796 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6964 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7148 cmdline: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3940 cmdline: "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2316 cmdline: "C:\Windows\System32\sc.exe" start kofydeki MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 6820 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • pspizbvl.exe (PID: 3156 cmdline: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe" MD5: B50406135DB8929E333AE2BDD1EE42FF)
    • svchost.exe (PID: 6912 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • chrome.exe (PID: 6344 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7208 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 7032 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 3940 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7992 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x543d:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      11.2.pspizbvl.exe.2310e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      11.2.pspizbvl.exe.2310e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.OgcktrbHkI.exe.1ba0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.OgcktrbHkI.exe.1ba0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.OgcktrbHkI.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe", ParentImage: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe, ParentProcessId: 3156, ParentProcessName: pspizbvl.exe, ProcessCommandLine: svchost.exe, ProcessId: 6912, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\OgcktrbHkI.exe", ParentImage: C:\Users\user\Desktop\OgcktrbHkI.exe, ParentProcessId: 6672, ParentProcessName: OgcktrbHkI.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7148, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.47.53.36, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6912, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49743
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe", ParentImage: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe, ParentProcessId: 3156, ParentProcessName: pspizbvl.exe, ProcessCommandLine: svchost.exe, ProcessId: 6912, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6912, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kofydeki
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\OgcktrbHkI.exe", ParentImage: C:\Users\user\Desktop\OgcktrbHkI.exe, ParentProcessId: 6672, ParentProcessName: OgcktrbHkI.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7148, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7032, ProcessName: svchost.exe
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: OgcktrbHkI.exeAvira: detected
        Source: jotunheim.name:443URL Reputation: Label: malware
        Source: vanaheim.cn:443URL Reputation: Label: malware
        Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exeVirustotal: Detection: 44%Perma Link
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy)Virustotal: Detection: 44%Perma Link
        Source: OgcktrbHkI.exeVirustotal: Detection: 43%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exeJoe Sandbox ML: detected
        Source: OgcktrbHkI.exeJoe Sandbox ML: detected
        Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=enHTTP Parser: No favicon
        Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=enHTTP Parser: No favicon
        Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=enHTTP Parser: No favicon

        Compliance

        barindex
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeUnpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeUnpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack
        Source: OgcktrbHkI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49770 version: TLS 1.2

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\kofydekiJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 109.107.161.150 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.137.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 104.47.53.36 104.47.53.36
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: Joe Sandbox ViewIP Address: 67.195.228.110 67.195.228.110
        Source: Joe Sandbox ViewASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
        Source: global trafficTCP traffic: 192.168.2.4:49743 -> 104.47.53.36:25
        Source: global trafficTCP traffic: 192.168.2.4:49757 -> 67.195.228.110:25
        Source: global trafficTCP traffic: 192.168.2.4:49759 -> 74.125.137.26:25
        Source: global trafficTCP traffic: 192.168.2.4:49773 -> 217.69.139.150:25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.46.162.224
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 40.68.123.157
        Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.76
        Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.76
        Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.76
        Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.76
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
        Source: global trafficHTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
        Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=ON-263QZXt9Weooq4tM-X7f_gPZYX_UROX833_yqu-2GKj7wBRvMMF_Z8Hh_g785FV-f1eGZZ3bmuxVot588IRQ_TPzkUmoPYhH9VZfNdSFfe5oLbWL0o3mTVMkjR2y5hkTF1a_qbB89fDZKW_cIDuWlJVWJsC3zjL1NGiEc0tU
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: apis.google.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: ogs.google.com
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: global trafficDNS traffic detected: DNS query: play.google.com
        Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 787sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: text/plain;charset=UTF-8X-Goog-AuthUser: 0sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ogs.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ogs.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=mPPPqpDMrDFUKWs8QWCE0CfLRBKkKmj_o5FDyqsicCmeUBwk9I5OXwE3RMm_CMffzYSx9ZIPSTxmM-VQzSv_mLJjyXRSUzvk9haotAWoVcJ8iqK3NFmfA42wDu-YwqQ9vhflBU2dO2t8pCNEAbMtpv2HO6denIteuHo8gbtxJng
        Source: svchost.exe, 00000013.00000002.2876220211.000001AB38284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: svchost.exe, 00000013.00000002.2876369214.000001AB382F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
        Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: edb.log.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
        Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: svchost.exe, 00000013.00000003.1671389346.000001AB3844D000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: svchost.exe, 00000013.00000002.2876220211.000001AB38261000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876300694.000001AB382D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2875660734.000001AB33502000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876079309.000001AB3820F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2293597228.000001AB38142000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876138784.000001AB3822C000.00000004.00000020.00020000.00000000.sdmp, edb.log.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/hhbs2fc5gftn5wsvpbv6ueh5wy_2024.4.30.0/go
        Source: svchost.exe, 00000013.00000002.2876300694.000001AB382BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
        Source: qmgr.db.19.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: chromecache_60.20.drString found in binary or memory: http://www.broofa.com
        Source: chromecache_72.20.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
        Source: chromecache_72.20.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
        Source: chromecache_60.20.dr, chromecache_72.20.drString found in binary or memory: https://apis.google.com
        Source: chromecache_59.20.drString found in binary or memory: https://apis.google.com/js/api.js
        Source: chromecache_72.20.drString found in binary or memory: https://clients6.google.com
        Source: chromecache_72.20.drString found in binary or memory: https://content.googleapis.com
        Source: chromecache_72.20.drString found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
        Source: chromecache_72.20.drString found in binary or memory: https://domains.google.com/suggest/flow
        Source: chromecache_60.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
        Source: chromecache_60.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
        Source: chromecache_60.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
        Source: chromecache_60.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
        Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
        Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
        Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
        Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: edb.log.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
        Source: chromecache_75.20.drString found in binary or memory: https://ogs.google.com/
        Source: chromecache_75.20.drString found in binary or memory: https://ogs.google.com/widget/app/so
        Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
        Source: edb.log.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
        Source: chromecache_60.20.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
        Source: chromecache_72.20.drString found in binary or memory: https://plus.google.com
        Source: chromecache_72.20.drString found in binary or memory: https://plus.googleapis.com
        Source: chromecache_75.20.drString found in binary or memory: https://ssl.gstatic.com
        Source: chromecache_59.20.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
        Source: chromecache_72.20.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
        Source: chromecache_59.20.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
        Source: chromecache_72.20.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
        Source: chromecache_72.20.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
        Source: chromecache_75.20.drString found in binary or memory: https://www.gstatic.com
        Source: chromecache_75.20.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
        Source: chromecache_60.20.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
        Source: chromecache_60.20.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
        Source: chromecache_60.20.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49770 version: TLS 1.2

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR

        System Summary

        barindex
        Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\kofydeki\Jump to behavior
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_0040C91311_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00CDC91313_2_00CDC913
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: String function: 01BA27AB appears 35 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
        Source: OgcktrbHkI.exe, 00000000.00000000.1606556854.00000000019F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
        Source: OgcktrbHkI.exe, 00000000.00000002.1672013177.0000000001C31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
        Source: OgcktrbHkI.exeBinary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
        Source: OgcktrbHkI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@51/39@20/12
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01C2046B CreateToolhelp32Snapshot,Module32First,0_2_01C2046B
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00CD9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_00CD9A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3940:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7112:64:WilError_03
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile created: C:\Users\user\AppData\Local\Temp\pspizbvl.exeJump to behavior
        Source: OgcktrbHkI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: OgcktrbHkI.exeVirustotal: Detection: 43%
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile read: C:\Users\user\Desktop\OgcktrbHkI.exeJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14996
        Source: unknownProcess created: C:\Users\user\Desktop\OgcktrbHkI.exe "C:\Users\user\Desktop\OgcktrbHkI.exe"
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydeki
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe"
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydekiJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: OgcktrbHkI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeUnpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeUnpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeUnpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeUnpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01C23753 push 0000002Bh; iretd 0_2_01C23759
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01C1B12B push edi; ret 0_2_01C1B1FA
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01C1B4B5 push eax; ret 0_2_01C1B4BA
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_01B4CDBB push 0000002Bh; iretd 11_2_01B4CDC1

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeFile created: C:\Users\user\AppData\Local\Temp\pspizbvl.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kofydekiJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\ogcktrbhki.exeJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,13_2_00CD199C
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15328
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-16310
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-6419
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_13-6144
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-6711
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15616
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15286
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_13-7423
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-6174
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-15011
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14859
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeAPI coverage: 5.4 %
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeAPI coverage: 4.0 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8068Thread sleep count: 31 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8068Thread sleep time: -31000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7304Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000013.00000002.2876176032.000001AB38258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: svchost.exe, 0000000D.00000002.2874366057.0000000003200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
        Source: svchost.exe, 00000013.00000002.2875300242.000001AB32C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeAPI call chain: ExitProcess graph end nodegraph_0-15288
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_13-6178
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_13-6437

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_11-16371
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01BA0D90 mov eax, dword ptr fs:[00000030h]0_2_01BA0D90
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01BA092B mov eax, dword ptr fs:[00000030h]0_2_01BA092B
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_01C1FD48 push dword ptr fs:[00000030h]0_2_01C1FD48
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_01B493B0 push dword ptr fs:[00000030h]11_2_01B493B0
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_0231092B mov eax, dword ptr fs:[00000030h]11_2_0231092B
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_02310D90 mov eax, dword ptr fs:[00000030h]11_2_02310D90
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00CD9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_00CD9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 109.107.161.150 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.137.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CD0000Jump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: AC8008Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydekiJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648Jump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR
        Source: C:\Users\user\Desktop\OgcktrbHkI.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00CD88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,13_2_00CD88B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        2
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media11
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        2
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS25
        System Information Discovery
        Distributed Component Object ModelInput Capture114
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets221
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials12
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436353 Sample: OgcktrbHkI.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 56 vanaheim.cn 2->56 58 mta6.am0.yahoodns.net 2->58 60 6 other IPs or domains 2->60 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 12 other signatures 2->86 8 pspizbvl.exe 2->8         started        11 OgcktrbHkI.exe 2 2->11         started        14 chrome.exe 1 2->14         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 94 Detected unpacking (changes PE section rights) 8->94 96 Detected unpacking (overwrites its own PE header) 8->96 98 Found API chain indicative of debugger detection 8->98 104 3 other signatures 8->104 19 svchost.exe 1 8->19         started        23 WerFault.exe 2 8->23         started        54 C:\Users\user\AppData\Local\...\pspizbvl.exe, PE32 11->54 dropped 100 Uses netsh to modify the Windows network and firewall settings 11->100 102 Modifies the windows firewall 11->102 25 cmd.exe 1 11->25         started        28 netsh.exe 2 11->28         started        30 cmd.exe 2 11->30         started        38 4 other processes 11->38 74 192.168.2.4, 138, 25, 443 unknown unknown 14->74 76 239.255.255.250 unknown Reserved 14->76 32 chrome.exe 14->32         started        78 127.0.0.1 unknown unknown 17->78 34 WerFault.exe 2 17->34         started        36 WerFault.exe 2 17->36         started        file6 signatures7 process8 dnsIp9 62 mta6.am0.yahoodns.net 67.195.228.110, 25 YAHOO-GQ1US United States 19->62 64 vanaheim.cn 109.107.161.150, 443, 49748, 49765 TELEPORT-TV-ASRU Russian Federation 19->64 70 3 other IPs or domains 19->70 88 System process connects to network (likely due to code injection or exploit) 19->88 90 Deletes itself after installation 19->90 92 Adds extensions / path to Windows Defender exclusion list (Registry) 19->92 52 C:\Windows\SysWOW64\...\pspizbvl.exe (copy), PE32 25->52 dropped 40 conhost.exe 25->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        66 plus.l.google.com 142.250.176.14, 443, 49744, 49776 GOOGLEUS United States 32->66 68 play.google.com 142.250.189.14, 443, 49774, 49775 GOOGLEUS United States 32->68 72 4 other IPs or domains 32->72 46 conhost.exe 38->46         started        48 conhost.exe 38->48         started        50 conhost.exe 38->50         started        file10 signatures11 process12

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        OgcktrbHkI.exe44%VirustotalBrowse
        OgcktrbHkI.exe100%AviraHEUR/AGEN.1311176
        OgcktrbHkI.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\pspizbvl.exe100%AviraTR/Crypt.EPACK.Gen2
        C:\Users\user\AppData\Local\Temp\pspizbvl.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\pspizbvl.exe45%VirustotalBrowse
        C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy)45%VirustotalBrowse
        No Antivirus matches
        SourceDetectionScannerLabelLink
        mta6.am0.yahoodns.net0%VirustotalBrowse
        vanaheim.cn15%VirustotalBrowse
        SourceDetectionScannerLabelLink
        http://www.broofa.com0%URL Reputationsafe
        jotunheim.name:443100%URL Reputationmalware
        vanaheim.cn:443100%URL Reputationmalware
        https://csp.withgoogle.com/csp/lcreport/0%URL Reputationsafe
        http://crl.ver)0%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        67.195.228.110
        truetrueunknown
        mxs.mail.ru
        217.69.139.150
        truefalse
          high
          plus.l.google.com
          142.250.176.14
          truefalse
            high
            www3.l.google.com
            142.250.72.174
            truefalse
              high
              play.google.com
              142.250.189.14
              truefalse
                high
                www.google.com
                142.250.217.132
                truefalse
                  high
                  microsoft-com.mail.protection.outlook.com
                  104.47.53.36
                  truefalse
                    high
                    vanaheim.cn
                    109.107.161.150
                    truetrueunknown
                    smtp.google.com
                    74.125.137.26
                    truefalse
                      high
                      google.com
                      unknown
                      unknownfalse
                        high
                        ogs.google.com
                        unknown
                        unknownfalse
                          high
                          yahoo.com
                          unknown
                          unknownfalse
                            high
                            mail.ru
                            unknown
                            unknownfalse
                              high
                              apis.google.com
                              unknown
                              unknownfalse
                                high
                                NameMaliciousAntivirus DetectionReputation
                                https://www.google.com/async/newtab_promosfalse
                                  high
                                  https://play.google.com/log?format=json&hasfast=true&authuser=0false
                                    high
                                    jotunheim.name:443true
                                    • URL Reputation: malware
                                    unknown
                                    https://www.google.com/async/ddljson?async=ntp:2false
                                      high
                                      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                                        high
                                        vanaheim.cn:443true
                                        • URL Reputation: malware
                                        unknown
                                        https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=enfalse
                                          high
                                          https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0false
                                            high
                                            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                                              high
                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://ogs.google.com/chromecache_75.20.drfalse
                                                high
                                                http://www.broofa.comchromecache_60.20.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://apis.google.com/js/api.jschromecache_59.20.drfalse
                                                  high
                                                  https://www.google.com/log?format=json&hasfast=truechromecache_59.20.drfalse
                                                    high
                                                    http://crl.ver)svchost.exe, 00000013.00000002.2876220211.000001AB38284000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    https://g.live.com/odclientsettings/ProdV2.C:edb.log.19.dr, qmgr.db.19.drfalse
                                                      high
                                                      https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1chromecache_72.20.drfalse
                                                        high
                                                        https://plus.google.comchromecache_72.20.drfalse
                                                          high
                                                          https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=chromecache_59.20.drfalse
                                                            high
                                                            https://g.live.com/odclientsettings/Prod.C:edb.log.19.dr, qmgr.db.19.drfalse
                                                              high
                                                              https://play.google.com/log?format=json&hasfast=truechromecache_60.20.drfalse
                                                                high
                                                                https://g.live.com/odclientsettings/ProdV2edb.log.19.dr, qmgr.db.19.drfalse
                                                                  high
                                                                  https://csp.withgoogle.com/csp/lcreport/chromecache_72.20.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96edb.log.19.drfalse
                                                                    high
                                                                    https://apis.google.comchromecache_60.20.dr, chromecache_72.20.drfalse
                                                                      high
                                                                      https://ogs.google.com/widget/app/sochromecache_75.20.drfalse
                                                                        high
                                                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6edb.log.19.dr, qmgr.db.19.drfalse
                                                                          high
                                                                          https://domains.google.com/suggest/flowchromecache_72.20.drfalse
                                                                            high
                                                                            https://clients6.google.comchromecache_72.20.drfalse
                                                                              high
                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs
                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              109.107.161.150
                                                                              vanaheim.cnRussian Federation
                                                                              49973TELEPORT-TV-ASRUtrue
                                                                              217.69.139.150
                                                                              mxs.mail.ruRussian Federation
                                                                              47764MAILRU-ASMailRuRUfalse
                                                                              74.125.137.26
                                                                              smtp.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              104.47.53.36
                                                                              microsoft-com.mail.protection.outlook.comUnited States
                                                                              8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                              142.250.217.132
                                                                              www.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              142.250.176.14
                                                                              plus.l.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              239.255.255.250
                                                                              unknownReserved
                                                                              unknownunknownfalse
                                                                              67.195.228.110
                                                                              mta6.am0.yahoodns.netUnited States
                                                                              36647YAHOO-GQ1UStrue
                                                                              142.250.72.174
                                                                              www3.l.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              142.250.189.14
                                                                              play.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              IP
                                                                              192.168.2.4
                                                                              127.0.0.1
                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                              Analysis ID:1436353
                                                                              Start date and time:2024-05-04 15:20:08 +02:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 5m 56s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:28
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:OgcktrbHkI.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:35f519000ad078d242c0bce097c59b31.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.evad.winEXE@51/39@20/12
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 63
                                                                              • Number of non-executed functions: 254
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 142.250.72.131, 142.250.188.238, 74.125.137.84, 34.104.35.123, 172.217.14.67, 20.231.239.246, 20.112.250.133, 20.236.44.162, 20.76.201.171, 20.70.246.20, 23.3.84.131, 199.232.210.172, 192.229.211.108, 172.217.12.131, 142.250.176.3, 142.250.72.163, 142.250.189.3, 142.251.40.46
                                                                              • Excluded domains from analysis (whitelisted): clients1.google.com, ssl.gstatic.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, www.gstatic.com, microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              TimeTypeDescription
                                                                              15:20:59API Interceptor6x Sleep call for process: svchost.exe modified
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              239.255.255.250SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.18101.30858.exeGet hashmaliciousUnknownBrowse
                                                                                mBW2MzlcHN.exeGet hashmaliciousLockBit ransomware, PureLog StealerBrowse
                                                                                  0e46.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        #U00d6deme tavsiyesi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                                                                            4365078236450.LnK.lnkGet hashmaliciousUnknownBrowse
                                                                                              Pedido-Faturado-398731.msiGet hashmaliciousUnknownBrowse
                                                                                                SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exeGet hashmaliciousUnknownBrowse
                                                                                                  217.69.139.150G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                                    x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                                                                      x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                                                        EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                                                                                          OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                                                                                            0bv3c9AqYs.exeGet hashmaliciousPushdoBrowse
                                                                                                              gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                                                                                                                  PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                                                                    nhVJ8J5qOt.exeGet hashmaliciousPushdoBrowse
                                                                                                                      67.195.228.110file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                              data.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    Update-KB6340-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      JgC7A84YOU.exeGet hashmaliciousTofsee XmrigBrowse
                                                                                                                                        wxdh9aIrfH.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse
                                                                                                                                          104.47.53.36DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                                                                            kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                                                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                      t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                        lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                          SecuriteInfo.com.Win32.TrojanX-gen.5284.17028.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                            SecuriteInfo.com.Win32.TrojanX-gen.9178.5965.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              mta6.am0.yahoodns.netfile.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                                                              • 67.195.228.94
                                                                                                                                                              file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                                                              • 67.195.204.72
                                                                                                                                                              RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 67.195.228.109
                                                                                                                                                              webcam.txt.com.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 67.195.204.73
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 98.136.96.74
                                                                                                                                                              file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 67.195.228.106
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 67.195.228.94
                                                                                                                                                              .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 98.136.96.91
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 98.136.96.76
                                                                                                                                                              file.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 67.195.228.94
                                                                                                                                                              microsoft-com.mail.protection.outlook.comDWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 104.47.53.36
                                                                                                                                                              kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 52.101.11.0
                                                                                                                                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 104.47.53.36
                                                                                                                                                              L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 52.101.11.0
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 52.101.11.0
                                                                                                                                                              sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 52.101.11.0
                                                                                                                                                              mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 104.47.53.36
                                                                                                                                                              U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 52.101.40.26
                                                                                                                                                              bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 104.47.54.36
                                                                                                                                                              t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 104.47.54.36
                                                                                                                                                              vanaheim.cnDWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 85.208.208.90
                                                                                                                                                              kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 77.232.138.239
                                                                                                                                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 5.188.88.112
                                                                                                                                                              L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 5.188.88.112
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 5.188.88.112
                                                                                                                                                              mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 194.169.163.56
                                                                                                                                                              U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 194.169.163.56
                                                                                                                                                              bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 194.169.163.56
                                                                                                                                                              t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 194.169.163.56
                                                                                                                                                              lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              • 194.169.163.56
                                                                                                                                                              mxs.mail.rua5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                              • 94.100.180.31
                                                                                                                                                              G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                                                              • 94.100.180.31
                                                                                                                                                              PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              rLDmqbpt5D.exeGet hashmaliciousPushdo, DanaBot, RedLine, SmokeLoaderBrowse
                                                                                                                                                              • 94.100.180.31
                                                                                                                                                              .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 94.100.180.31
                                                                                                                                                              file.exeGet hashmaliciousPushdo, DanaBot, SmokeLoaderBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              1EsDtA4mep.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                              • 217.69.139.150
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              TELEPORT-TV-ASRUclik.exeGet hashmaliciousCredGrabber, PureLog StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              leadiadequatepro.exeGet hashmaliciousCredGrabber, PureLog StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              responsibilityleadpro.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              fDTPlvsGfH.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                              • 109.107.182.145
                                                                                                                                                              eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              SecuriteInfo.com.Win64.PWSX-gen.6289.18727.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              gKN4xIjj5o.exeGet hashmaliciousCredGrabber, PureLog StealerBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              vRp56pf5a9.exeGet hashmaliciousCredGrabber, PureLog Stealer, zgRATBrowse
                                                                                                                                                              • 109.107.181.83
                                                                                                                                                              MAILRU-ASMailRuRUc40snYcuW6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.61.23.80
                                                                                                                                                              arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 217.69.134.17
                                                                                                                                                              SkM9yWax29.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 178.237.22.126
                                                                                                                                                              base.apkGet hashmaliciousAnubis BankBotBrowse
                                                                                                                                                              • 178.237.20.131
                                                                                                                                                              UD6c1o6Fhg.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 94.100.184.227
                                                                                                                                                              BSKbaZ6Mij.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 94.100.184.245
                                                                                                                                                              https://cloud.mail.ru/stock/hG498Pfe7uJ1fEVeN7iTtbHoGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 5.61.23.11
                                                                                                                                                              nigga.shGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.61.21.188
                                                                                                                                                              WY0hbWVwQF.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.61.23.62
                                                                                                                                                              4J8MjfJo3m.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 128.140.169.82
                                                                                                                                                              YAHOO-GQ1USq5C2tw1Pc6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 67.195.2.124
                                                                                                                                                              8g0fGUcWeQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 98.136.201.255
                                                                                                                                                              Q00D5u1xHq.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                              • 98.137.30.195
                                                                                                                                                              gIzj2ZdSYV.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                              • 98.137.99.74
                                                                                                                                                              yjz3ZEaSau.elfGet hashmaliciousMoobotBrowse
                                                                                                                                                              • 98.137.99.74
                                                                                                                                                              TfpwQ763RO.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                              • 68.180.200.211
                                                                                                                                                              5m6jbTvemR.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 98.136.201.222
                                                                                                                                                              https://yahu.pages.dev/account/js-reporting/?crumb=F3RZp873jWJ&message=javascript_not_enabled&ref=%2FGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 98.137.11.161
                                                                                                                                                              https://ousps88.cc/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 98.137.11.144
                                                                                                                                                              3rOSHAZ6SC.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 98.137.103.190
                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUS1CMweaqlKp.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                              • 13.89.179.12
                                                                                                                                                              sora.x86-20240504-0115.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 20.199.232.188
                                                                                                                                                              https://www.bjvpza.cn/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.213.40
                                                                                                                                                              https://www.uhnrya.cn/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.213.69
                                                                                                                                                              https://portal.cpscompressors.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 13.107.246.71
                                                                                                                                                              https://www.soqsrkk.cn/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.246.69
                                                                                                                                                              https://www.evernote.com/shard/s593/sh/34d5323e-5e68-2022-e399-8b6a9f22d260/e4DIh4rAMOdx8UQxrqSgHb8GiJxwwBeZjn9dT_57KOFldDUBp5VNPxZHmw/res/782d1fe9-3270-5412-662f-9e3e990fa372Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 13.107.246.40
                                                                                                                                                              Copy of BARBOT CONSTRUCTION.xlsxGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                              • 52.109.28.46
                                                                                                                                                              Scanned from Xerox KwlawMultiftr.rtfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 52.109.52.131
                                                                                                                                                              Purchase_Order_1803075641.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 13.107.213.40
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              28a2c9bd18a11de089ef85a160da29e4SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.18101.30858.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              mBW2MzlcHN.exeGet hashmaliciousLockBit ransomware, PureLog StealerBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              eiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              0e46.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              #U00d6deme tavsiyesi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              4365078236450.LnK.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              Pedido-Faturado-398731.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 40.68.123.157
                                                                                                                                                              • 20.114.59.183
                                                                                                                                                              No context
                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                              Entropy (8bit):1.3277036929714994
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrM:KooCEYhgYEL0In
                                                                                                                                                              MD5:EE3F3F77F324488AA4568A17CD2EF7F6
                                                                                                                                                              SHA1:27811C94101482C3F7D9BB111447E85C550E1EA1
                                                                                                                                                              SHA-256:416BE34422EB8D668E6D3D9B8B8E64510442623E55085E95C40A9DD9568A8C0E
                                                                                                                                                              SHA-512:9378B5060A8EFDA0763A14322108F1915295C2F8EB11270BE58E120C2A9C681D9C1B95D62354A1839BC882F604B682FE70323DBE944C80A7BE8D16B4A81767EA
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x26eb8c3f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                              Entropy (8bit):0.42210152543902413
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                                                                                                                                              MD5:1B2EE00520C8EF37E25C211C701EB1B0
                                                                                                                                                              SHA1:AB4ADB81F23066A94A91FC5C3F7CFFC7FF959BCA
                                                                                                                                                              SHA-256:7EB2EB0FC940B53DE1253F83AAE2B69AFEABF45AA3DD21D4BB3B1D5E5049453B
                                                                                                                                                              SHA-512:40CA2A17A10E526F2C0EC64B1D2ED7E4E0196FA85844219721DD43F36236B39D97223D90F8A89D4DB233B259DD270886219DF2D873A0C8D3AB2C267625D14D19
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:&.?... .......A.......X\...;...{......................0.!..........{A......|+.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................R........|K.................4.K......|+..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):16384
                                                                                                                                                              Entropy (8bit):0.07522799253122159
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:uggXKYeSdhlAjjn13a/S8ThtillcVO/lnlZMxZNQl:uggXKz0bAj53qS8TaOewk
                                                                                                                                                              MD5:8D31AA9093F9436BB3E44D7372299AD9
                                                                                                                                                              SHA1:C31C13DA442566DF5B56A841940749736F958F99
                                                                                                                                                              SHA-256:6003469EA60D53A6038AF4B9F847B9999C7762E20EDA0AE9D28C57DA15333851
                                                                                                                                                              SHA-512:CB44F125874B6FA3A52D07C983104B8229DDF8ADFA93B03B91A975832E24278EE72D730AEA0227408837363FD5062DFD2643E1A6D2B7F94CCB7AAF3087C1F64E
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:........................................;...{.......|+......{A..............{A......{A..........{A]................4.K......|+.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Users\user\Desktop\OgcktrbHkI.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):14476288
                                                                                                                                                              Entropy (8bit):5.31278696874138
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24576:Jc4Rz2LgMvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:zRz2c
                                                                                                                                                              MD5:B50406135DB8929E333AE2BDD1EE42FF
                                                                                                                                                              SHA1:16305C9EC4589A84EC96FEC9CC7EAF05D99A79CF
                                                                                                                                                              SHA-256:CD7849F93D395A35D766C01B9D1077B5026D33B030CC8EB3CC2FF389B8431C87
                                                                                                                                                              SHA-512:63D679AA3D40ED6575FEDD6A244FA09B0B3DA98F380BF99F5C8E6A0C1520CDD299711311ADBB24B4FA2703320A95AEFED8B9EB26D3525032DE6343167C1CC5E1
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: Virustotal, Detection: 45%, Browse
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....................................................?g..............?g......Rich....................PE..L...r..d......................`......@....... ....@...........................a.....0..........................................<....._.0-.......................... ................................y..@............ ...............................text...e........................... ..`.rdata...m... ...n..................@..@.data.....]......l..................@....rsrc...0-...._.....................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                              File Type:JSON data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):55
                                                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):14476288
                                                                                                                                                              Entropy (8bit):5.31278696874138
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24576:Jc4Rz2LgMvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:zRz2c
                                                                                                                                                              MD5:B50406135DB8929E333AE2BDD1EE42FF
                                                                                                                                                              SHA1:16305C9EC4589A84EC96FEC9CC7EAF05D99A79CF
                                                                                                                                                              SHA-256:CD7849F93D395A35D766C01B9D1077B5026D33B030CC8EB3CC2FF389B8431C87
                                                                                                                                                              SHA-512:63D679AA3D40ED6575FEDD6A244FA09B0B3DA98F380BF99F5C8E6A0C1520CDD299711311ADBB24B4FA2703320A95AEFED8B9EB26D3525032DE6343167C1CC5E1
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Virustotal, Detection: 45%, Browse
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....................................................?g..............?g......Rich....................PE..L...r..d......................`......@....... ....@...........................a.....0..........................................<....._.0-.......................... ................................y..@............ ...............................text...e........................... ..`.rdata...m... ...n..................@..@.data.....]......l..................@....rsrc...0-...._.....................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (2200)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):184072
                                                                                                                                                              Entropy (8bit):5.457813410298979
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:LaXH2HHSBV2qoSKRd8mQ3jfA8j3yViKE5rmVqpzE:NHgxohRdUfFyQKEnpzE
                                                                                                                                                              MD5:E5FCBC4D28FD8054A03E23C62057111F
                                                                                                                                                              SHA1:A25AB167CC29D60286E7E3EEAEA77DEC677190C4
                                                                                                                                                              SHA-256:52094E235144F4EFBB9873F05AC25F1E9ADF0F5BD513B6FC4D9E0499331B3486
                                                                                                                                                              SHA-512:7AEEC24270661E4658CB9DC19C075B71E5EDDC22859B1269529EFC0F159F165BE680D2D864BDF4D41B937556D72ED5B4F65011205D80D55EBFED05155753CA1E
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/am=EGDQuQMg/d=1/excm=_b,_tp,appwidgetnoauthview/ed=1/dg=0/wt=2/ujg=1/rs=AM-SdHvRM4rmzL0TklJKtWu6JILwVFGwEg/m=_b,_tp"
                                                                                                                                                              Preview:"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x39d06010, 0x800e, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. SPDX-License-Identifier: Apache-2.0.*/./*. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/.var ia,aaa,Ha,caa,Qa,Sa,Ta,Ua,Va,Wa,Xa,ab,daa,eaa,cb,eb,tb,xb,Lb,Nb,Rb,Ub,Wb,gaa,ac,cc,dc,kc,rc,uc,wc,oc,jaa,Fc,Gc,kaa,Nc,laa,Rc,Tc,cd,dd,hd,jd,kd,pd,id,ld,Sc,Cd,Ad,Dd,y,Hd,Kd,raa,saa,taa,uaa,vaa,waa,xaa,yaa,xe,Be,Eaa,Caa,Qe,Ye,Haa,Iaa,$e,of,Maa,Naa,vf,Oaa,Paa,Qaa,Raa,Kf,Lf,Mf,Saa,Taa,Uaa,Vaa,Waa,Xaa,Yaa,$aa,aba,aa,hg,ig,bba,kg,lg,og,cba,tg,ug,vg,fba,gba,Bg,Cg,hba,iba;_.ba=function(a){return function(){return aa[a].apply(this,arguments)}};_.ca=function(a,b){
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (2294)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):163286
                                                                                                                                                              Entropy (8bit):5.544045381504343
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:CMiFOP4roKgkk/EFZMQbxjZW1BKo6JMI6l0nt8Uv1ziwtXOmDsY+WwYLF/HrY7+A:CMiroKfbMQbxjZW1BKo6JMI6l0nt8Uvq
                                                                                                                                                              MD5:9D9987F6E83F101A097A0BD64A14C71B
                                                                                                                                                              SHA1:E71E10897E0E874DE4D12125D5DF2F7FCE08F585
                                                                                                                                                              SHA-256:D0975FC00A61201A54714BE8DF5E50F02B277E133BA08ABD9DEEA33934FA28A9
                                                                                                                                                              SHA-512:5AE557145F0E0FF3E768AFC63B3E4855F53DCA49D46A22ACB169CC6DC58FF2B11C776B419141EB12C8B0CF7BBD16E928F9EE5AF5014DD976130B00A1995B325E
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Ics7SFQVxbg.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTtpRznzVJk75Y4TcT-zpGGUjebtAg"
                                                                                                                                                              Preview:this.gbar_=this.gbar_||{};(function(_){var window=this;.try{._.cj=function(a,b,c){return c?a|b:a&~b};_.dj=function(a,b,c,d){a=_.jb(a,b,c,d);return Array.isArray(a)?a:_.kc};_.ej=function(a,b){a=_.cj(a,2,!!(2&b));a=_.cj(a,32,!0);return a=_.cj(a,2048,!1)};_.fj=function(a,b){0===a&&(a=_.ej(a,b));return a=_.cj(a,1,!0)};_.gj=function(a){return!!(2&a)&&!!(4&a)||!!(2048&a)};_.hj=function(a,b,c){32&b&&c||(a=_.cj(a,32,!1));return a};._.ij=function(a,b,c,d,e,f){var g=!!(2&b),h=g?1:2;const k=1===h;h=2===h;e=!!e;f&&(f=!g);g=_.dj(a,b,d);var l=g[_.v]|0;const n=!!(4&l);if(!n){l=_.fj(l,b);var p=g,t=b,r;(r=!!(2&l))&&(t=_.cj(t,2,!0));let B=!r,aa=!0,K=0,F=0;for(;K<p.length;K++){const ba=_.Ua(p[K],c,t);if(ba instanceof c){if(!r){const Ca=!!((ba.ka[_.v]|0)&2);B&&(B=!Ca);aa&&(aa=Ca)}p[F++]=ba}}F<K&&(p.length=F);l=_.cj(l,4,!0);l=_.cj(l,16,aa);l=_.cj(l,8,B);_.ya(p,l);r&&Object.freeze(p)}c=!!(8&l)||k&&!g.length;if(f&&!c){_.gj(l)&&(g=_.xa(g),.l=_.ej(l,b),b=_.ib(a,b,d,g));f=g;c=l;for(p=0;p<f.length;p++)l=f[p],t=_
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (3183)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):3188
                                                                                                                                                              Entropy (8bit):5.8365715329833385
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:9KUelimIN6666VD11q5h/5w0jbP5He2FXvF79XffffQo:9KBsN6666VDe5h/5PhHe2ZJ9b
                                                                                                                                                              MD5:5AEAB4B89584FAF631800183D6BD349D
                                                                                                                                                              SHA1:6B6F87DC2B2ADBD3FA93D46D7CCD42396CA577AA
                                                                                                                                                              SHA-256:D88F87E24EC47E377469C0DB0984C81FB5ADDF653F90A641E13CF24770BCE361
                                                                                                                                                              SHA-512:99CC85A03E23D77B72F9F70CBE37C49A55FB6BD253A6ABFB84B7ABEB6AB7D06ABF7DBE41820265B05E1F2C8A13CB4B815A71C1A73BB2AE485BC2735BDC9A5C81
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                                                                                                              Preview:)]}'.["",["pittsburgh oakland construction accident","fall guy movie ryan gosling","12 cilindri ferrari","red lobster endless shrimp","harper murray nebraska volleyball","hawley texas tornadoes","dua lipa album review","sony psn account helldivers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"CgkvbS8wMTA0em0SGEhhd2xleSDigJQgQ2l0eSBpbiBUZXhhczLTDGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWJBQUFDQXdFQkFRQUFBQUFBQUFBQUFBQUVCUUlEQmdjQUFmL0VBRGNRQUFFREFnUUNCd1lFQndBQUFBQUFBQUVDQXhFQUJBVVNJVEV
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):137432
                                                                                                                                                              Entropy (8bit):7.981759932974614
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:SWkkEsWBwvkw/2i4fhpATVmE6383x4L6EWL3UQ7lE7sPE:SVAwwswerUv3S4nhdPE
                                                                                                                                                              MD5:387ED93F42803B1EC6697E3B57FBCEF0
                                                                                                                                                              SHA1:2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E
                                                                                                                                                              SHA-256:982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
                                                                                                                                                              SHA-512:7C90F69A53E49BAD03C4CEFD9868B4C4BA145E5738218E8C445FF6AE5347153E3A2F2B918CBE184B0366AFD53B984634D2894FEA6F31A4603E58CCB6BFA5C625
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://ssl.gstatic.com/gb/images/sprites/p_2x_387ed93f4280.png
                                                                                                                                                              Preview:.PNG........IHDR...j...Z.......{.....IDATx...S`......V.4gzl.>.m.m.m.>c......8.J..p....*k..i.k...f..v.VeG....V.^,.Y8>..U.(+...fbJ...q.G.kb#.T)F......~..&)+&....'..].~.j5....!.j.<..xJ..&.T91<.......3...|.4.Uu...c..t..\<#S.........+...M?ew.(....w..h.c.PU.>.C.:.P..Wq...4..[.......k{TG.C.~.$=U..>.....4c+9.s...d.,...h...$.dk..0T3..63$.l.6...O.O..z..J..C...fjZ...i...J..P-T.B5-T..PM..B5-T.B.PM..P-T.B5.].....9...cZ.*./.b.I....Z..\......^...(..............u.G..O.c.....`k....qx/..U-.U..0.[.:..$.......fx5.l..h..g..O'9..%.E=...x&.P.....?R.\..../.......s.-MU..U..o..Q.1.%.l.gb.....I.zxD..t.&.u[.:R.N..:.d.............].{..z.M..-}Sw@b....[.D..#1$s.I..0..L....I.....i.Z....... MZ...j....i.Z...jZ...i.....jZ...i......z"/...._....q...gU.b.IHO.5....,n........PX..$.._.9(Mw..D../.C......l.....x..Q|...(..$#../.....GB...7bS..B..G.....Tb.Yx6^.9..C.F..oMrx..p..<N3.=.1...$.....-N.t.jt6..&..J...G..z!..Ff.i...v._..a.....R%I....f....t....._..5.l...A..C.=c(V..)......0$.jg..KT..*E.r
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):29
                                                                                                                                                              Entropy (8bit):3.9353986674667634
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:VQAOx/1n:VQAOd1n
                                                                                                                                                              MD5:6FED308183D5DFC421602548615204AF
                                                                                                                                                              SHA1:0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
                                                                                                                                                              SHA-256:4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
                                                                                                                                                              SHA-512:A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://www.google.com/async/newtab_promos
                                                                                                                                                              Preview:)]}'.{"update":{"promos":{}}}
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (3572), with no line terminators
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):3572
                                                                                                                                                              Entropy (8bit):5.140651484312947
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:vZUJVKLICJEconBdpZUvGCUvGULHg7OTehn5hsbrc7g8IO8u0Y8D2n:yJYI/coXqCg7OSfg8IO8uB8D2n
                                                                                                                                                              MD5:122C0858F7D38991F14E5ADC6BDB3C3B
                                                                                                                                                              SHA1:FFC64755EB42990A73C4878426A641CFB94B57EE
                                                                                                                                                              SHA-256:06D1296A6F6611AC795B27882FE88823EE857D0F49F7018CF00C6A199976DC0D
                                                                                                                                                              SHA-512:149A1FB533C8C7D5EA363B80982DC1EC4C39E5EF9BB37E45BC80E105B18C3FA4DC610449BBD70DE9B9AC7339FEBBBD4FF76C2A9D1FD104D1943A386539AC4D44
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/og/_/ss/k=og.qtm.RS0dNtaZmo0.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuhe2hCYlalU7rKCW-qT_-zMhVRaw"
                                                                                                                                                              Preview:.gb_2e{background:rgba(60,64,67,.9);-webkit-border-radius:4px;border-radius:4px;color:#fff;font:500 12px "Roboto",arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000;-webkit-font-smoothing:antialiased}.gb_Fc{text-align:left}.gb_Fc>*{color:#bdc1c6;line-height:16px}.gb_Fc div:first-child{color:white}.gb_pa{background:none;border:1px solid transparent;-webkit-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;box-sizing:border-box;cursor:pointer;height:40px;margin:8px;outline:none;padding:1px;position:absolute;right:0;top:0;width:40px}.gb_pa:hover{background-color:rgba(68,71,70,.08)}.gb_pa:focus,.gb_pa:active{background-color:rgba(68,71,70,.12)}.gb_pa:focus-visible{border-color:#0b57d0;outline:1px solid transparent;outline-offset:-1px}.gb_i .gb_pa:hover,.gb_i .gb_pa:focus,.gb_i .gb_pa:active{background-color:rgba(227,227,227,.08)}.gb_i .gb_pa:focus-visible{border-color:#a8c7fa}.gb_qa{-webkit-box
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (65531)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):137077
                                                                                                                                                              Entropy (8bit):5.441424088159115
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:jdGuEyNn2zuFRDP6nWysx3DMqPKnrzNSpGiV1p+RHPGb4guje18jZRLM9rZxMkPr:DLnoap3DTKnrQpG4nQUduZ6ZxMkmwXd
                                                                                                                                                              MD5:4B78E2A0E5BAF050D8EDF97BE9CEE75F
                                                                                                                                                              SHA1:8C4C54AF17247898E9FA012589CA516EFCB27C05
                                                                                                                                                              SHA-256:A1CDA0D03D19A9C08E2C4328B2DB277169173BA25F23A8F913609AD4235AC145
                                                                                                                                                              SHA-512:DBDF355688AEB57D29557A6D9B74A574F7B5C2C30F55B998F196790C7C960A7A9908E36416C8DF8839AFC99D418FBB0563D6DB6107AD81AB42FAE69D7D310D64
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
                                                                                                                                                              Preview:)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Hd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Oc gb_Rc gb_q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (769)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):1424
                                                                                                                                                              Entropy (8bit):5.31660097498527
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:kWfS+Xg1QmYTY29/RbFTVebYaThG8VgI4+O6tp41SZGbwfKGbeZPx/sMGOwsNEZ9:ZfS+wmmc/bFpw/A8R3fpWgGb+KGbipsZ
                                                                                                                                                              MD5:13D1BE6BC9AA2CA332D553D2D4491DE1
                                                                                                                                                              SHA1:F7E7A540E69006ED7470EB2AED4EF19BE4A1AF0C
                                                                                                                                                              SHA-256:4C205DD66FDACFF32EB2B63273FB74DB1E29DBD5C9B97F0F6641378174257F39
                                                                                                                                                              SHA-512:A1DD99D4ED179D4FA138A7C500589896F3A5DA06758ED72F67D05243519FB5EADF2184D9B67F0F9337FF55B5F5982D93245A8FF41E6F8F1D619CAC8D47C9FF4A
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQMg/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,RqjULd,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHuoOol6PGq-lFlTYeoE9lb9o902mQ/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=bm51tf"
                                                                                                                                                              Preview:"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi||{};(function(_){var window=this;.try{._.q("bm51tf");.var Uoa=!!(_.Jg[0]>>17&1);var Voa=function(a,b,c,d,e){this.o=a;this.N=b;this.v=c;this.O=d;this.W=e;this.j=0;this.l=tW(this)},Woa=function(a){var b={};_.Da(a.tq(),function(e){b[e]=!0});var c=a.kq(),d=a.mq();return new Voa(a.lq(),1E3*c.j(),a.fq(),1E3*d.j(),b)},tW=function(a){return Math.random()*Math.min(a.N*Math.pow(a.v,a.j),a.O)},uW=function(a,b){return a.j>=a.o?!1:null!=b?!!a.W[b]:!0};var vW=function(a){_.Q.call(this,a.oa);this.o=a.service.Jr;this.v=a.service.metadata;a=a.service.ID;this.l=a.o.bind(a)};_.G(vW,_.Q);vW.qa=_.Q.qa;vW.V=function(){return{service:{Jr:_.rW,metadata:_.nW,ID:_.DU}}};vW.prototype.j=function(a,b){if(1!=this.v.getType(a.Cb()))return _.Nn(a);var c=this.o.j;(c=c?Woa(c):null)&&uW(c)?(b=wW(this,a,b,c),a=new _.Mn(a,b,2)):a=_.Nn(a);return a};.var wW=function(a,b,c,d){return c.then(function(e){return e},function(e){if(Uoa)if(e instanceof _.ee)
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):137432
                                                                                                                                                              Entropy (8bit):7.981759932974614
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:SWkkEsWBwvkw/2i4fhpATVmE6383x4L6EWL3UQ7lE7sPE:SVAwwswerUv3S4nhdPE
                                                                                                                                                              MD5:387ED93F42803B1EC6697E3B57FBCEF0
                                                                                                                                                              SHA1:2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E
                                                                                                                                                              SHA-256:982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
                                                                                                                                                              SHA-512:7C90F69A53E49BAD03C4CEFD9868B4C4BA145E5738218E8C445FF6AE5347153E3A2F2B918CBE184B0366AFD53B984634D2894FEA6F31A4603E58CCB6BFA5C625
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:.PNG........IHDR...j...Z.......{.....IDATx...S`......V.4gzl.>.m.m.m.>c......8.J..p....*k..i.k...f..v.VeG....V.^,.Y8>..U.(+...fbJ...q.G.kb#.T)F......~..&)+&....'..].~.j5....!.j.<..xJ..&.T91<.......3...|.4.Uu...c..t..\<#S.........+...M?ew.(....w..h.c.PU.>.C.:.P..Wq...4..[.......k{TG.C.~.$=U..>.....4c+9.s...d.,...h...$.dk..0T3..63$.l.6...O.O..z..J..C...fjZ...i...J..P-T.B5-T..PM..B5-T.B.PM..P-T.B5.].....9...cZ.*./.b.I....Z..\......^...(..............u.G..O.c.....`k....qx/..U-.U..0.[.:..$.......fx5.l..h..g..O'9..%.E=...x&.P.....?R.\..../.......s.-MU..U..o..Q.1.%.l.gb.....I.zxD..t.&.u[.:R.N..:.d.............].{..z.M..-}Sw@b....[.D..#1$s.I..0..L....I.....i.Z....... MZ...j....i.Z...jZ...i.....jZ...i......z"/...._....q...gU.b.IHO.5....,n........PX..$.._.9(Mw..D../.C......l.....x..Q|...(..$#../.....GB...7bS..B..G.....Tb.Yx6^.9..C.F..oMrx..p..<N3.=.1...$.....-N.t.jt6..&..J...G..z!..Ff.i...v._..a.....R%I....f....t....._..5.l...A..C.=c(V..)......0$.jg..KT..*E.r
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (736)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):3506
                                                                                                                                                              Entropy (8bit):5.552607887805469
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:86yHtxMPvVSbAtxNYiSJ6vq67scSlIcBfGx:FwIOT6LsHIIc
                                                                                                                                                              MD5:593442F87585F1132C36467C73BFE543
                                                                                                                                                              SHA1:BA98753092124B479848B1E1F21E6061AA2AF023
                                                                                                                                                              SHA-256:AC97464705BCFF9AF73D579E851C12940AAF8C11B31B6306B1C1163CEE904CCA
                                                                                                                                                              SHA-512:0552B2EC488E8C5BC03EE6A5A861D202980309E6C99B35891EEAD33319054BB91CA439ECF8C5E1402EC51AB30399F5265BB63838A5249A3487EDBA30F2807417
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQMg/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,RqjULd,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,bm51tf,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHuoOol6PGq-lFlTYeoE9lb9o902mQ/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                                                                                                                              Preview:"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi||{};(function(_){var window=this;.try{._.q("Wt6vjf");.var uy=function(a){this.ua=_.x(a,0,uy.ob)};_.G(uy,_.C);uy.prototype.Ya=function(){return _.nk(this,1)};uy.prototype.oc=function(a){_.Fk(this,1,a)};uy.ob="f.bo";var vy=function(){_.ln.call(this)};_.G(vy,_.ln);vy.prototype.mb=function(){this.Fq=!1;wy(this);_.ln.prototype.mb.call(this)};vy.prototype.j=function(){xy(this);if(this.Tj)return yy(this),!1;if(!this.Qr)return zy(this),!0;this.dispatchEvent("p");if(!this.So)return zy(this),!0;this.Nn?(this.dispatchEvent("r"),zy(this)):yy(this);return!1};.var Ay=function(a){var b=new _.mt(a.gx);null!=a.Ip&&b.l.set("authuser",a.Ip);return b},yy=function(a){a.Tj=!0;var b=Ay(a),c="rt=r&f_uid="+_.mi(a.So);_.Qo(b,(0,_.E)(a.l,a),"POST",c)};.vy.prototype.l=function(a){a=a.target;xy(this);if(_.Xo(a)){this.Pm=0;if(this.Nn)this.Tj=!1,this.dispatchEvent("r");else if(this.Qr)this.dispatchEvent("s");else{try{var b=_.Yo(a),c=JSON.pars
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:Web Open Font Format (Version 2), TrueType, length 15344, version 1.0
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):15344
                                                                                                                                                              Entropy (8bit):7.984625225844861
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:ctE5KIuhGO+DSdXwye6i9Xm81v4vMHCbppV0pr3Ll9/w:cqrVO++tw/9CICFbQLlxw
                                                                                                                                                              MD5:5D4AEB4E5F5EF754E307D7FFAEF688BD
                                                                                                                                                              SHA1:06DB651CDF354C64A7383EA9C77024EF4FB4CEF8
                                                                                                                                                              SHA-256:3E253B66056519AA065B00A453BAC37AC5ED8F3E6FE7B542E93A9DCDCC11D0BC
                                                                                                                                                              SHA-512:7EB7C301DF79D35A6A521FAE9D3DCCC0A695D3480B4D34C7D262DD0C67ABEC8437ED40E2920625E98AAEAFBA1D908DEC69C3B07494EC7C29307DE49E91C2EF48
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2
                                                                                                                                                              Preview:wOF2......;........H..;..........................d..@..J.`..L.T..<.....x.....^...x.6.$..6. ..t. ..I.h|.l....A....b6........(......@e.]...*:..-.0..r.)..hS..h...N.).D.........b.].......^..t?.m{...."84...9......c...?..r3o....}...S]....zbO.../z..{.....~cc....I...#.G.D....#*e.A..b...b`a5P.4........M....v4..fI#X.z,.,...=avy..F.a.\9.P|.[....r.Q@M.I.._.9..V..Q..]......[ {u..L@...]..K......]C....l$.Z.Z...Zs.4........ x.........F.?.7N..].|.wb\....Z{1L#..t....0.dM...$JV...{..oX...i....6.v.~......)|.TtAP&).KQ.]y........'...:.d..+..d..."C.h..p.2.M..e,.*UP..@.q..7..D.@...,......B.n. r&.......F!.....\...;R.?-.i...,7..cb../I...Eg...!X.)5.Aj7...Ok..l7.j.A@B`".}.w.m..R.9..T.X.X.d....S..`XI..1... .$C.H.,.\. ..A(.AZ.................`Wr.0]y..-..K.1.............1.tBs..n.0...9.F[b.3x...*$....T..PM.Z-.N.rS?I.<8eR'.3..27..?;..OLf*.Rj.@.o.W...........j~ATA....vX.N:.3dM.r.)Q.B...4i.f..K.l..s....e.U.2...k..a.GO.}..../.'..%$..ed.*.'..qP....M..j....../.z&.=...q<....-..?.A.%..K..
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (1657)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):264743
                                                                                                                                                              Entropy (8bit):5.479126042995795
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:XdPMHc2NQzfk5eINolYDt6QYGfOvNoK42TCboc:yNQz4NolQwQz2lVZmboc
                                                                                                                                                              MD5:951F5CB1728D3C62E6006801A61D2BE3
                                                                                                                                                              SHA1:3B9B0CD9203226263F8E32B336ADC5532E54A308
                                                                                                                                                              SHA-256:A50889187D77C8E3E0439A0D5C155159EAA7A3DBEC35111D7131EC88C0A228F7
                                                                                                                                                              SHA-512:E030EBF4A1683F176C1873DAD0B717D307253CC0EA1D40BF39F22E3B95C71FCD58907A6B1DFE9F9740FBE1303C59DF1FE70E4B102BFA86269EC49AAA29664FB8
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQMg/d=1/exm=_b,_tp/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHuoOol6PGq-lFlTYeoE9lb9o902mQ/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=ws9Tlc,n73qwf,GkRiKb,e5qFLc,IZT63,UUJqVe,O1Gjze,byfTOb,lsjVmc,xUdipf,OTA3Ae,COQbmf,fKUV3e,aurFic,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,aDfbSd,O6y8ed,PrPYRd,MpJwZc,LEikZe,NwH0H,OmgaI,lazG7b,XVMNvd,L1AAkb,KUM7Z,Mlhmy,s39S4,lwddkf,gychg,w9hDv,EEDORb,RMhBfe,SdcwHb,aW3pY,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,wmnU7d,xQtZb,JNoxi,kWgXee,MI6k7c,kjKdXe,BVgquf,QIhFr,ovKuLd,hKSk3e,yDVVkb,hc6Ubd,SpsfSb,KG2eXe,Z5uLle,MdUzUe,VwDzFe,zbML3c,A7fCU,zr1jrb,Uas9Hd,pjICDe"
                                                                                                                                                              Preview:"use strict";_F_installCss(".KL4X6e{background:#eee;bottom:0;left:0;opacity:0;position:absolute;right:0;top:0}.TuA45b{opacity:.8}sentinel{}");.this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi||{};(function(_){var window=this;.try{.var Ky;_.Cy=function(a,b,c,d,e,f,g){a=a.ua;var h=(0,_.Wc)(a);_.lc(h);b=_.rd(a,h,c,b,2,f,!0);c=null!=d?d:new c;if(g&&("number"!==typeof e||0>e||e>b.length))throw Error();void 0!=e?b.splice(e,g,c):b.push(c);(0,_.jc)(c.ua)&2?(0,_.gk)(b,8):(0,_.gk)(b,16)};_.Qr.prototype.Mb=_.ca(28,function(){if(0<this.ub.length){var a=this.ub[0];if("textContent"in a)return(0,_.Eh)(a.textContent);if("innerText"in a)return(0,_.Eh)(a.innerText)}return""});._.Qr.prototype.kc=_.ca(27,function(){return 0==this.ub.length?null:new _.M(this.ub[0])});_.M.prototype.kc=_.ca(26,function(){return this});_.Qr.prototype.Ka=_.ca(25,function(){return this.ub.length?this.ub[0]:null});_.M.prototype.Ka=_.ca(24,function(){return this.ub[0]});_.Dy=function(a,b,c){if(!b&&!c)return null;var
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:SVG Scalable Vector Graphics image
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):1660
                                                                                                                                                              Entropy (8bit):4.301517070642596
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
                                                                                                                                                              MD5:554640F465EB3ED903B543DAE0A1BCAC
                                                                                                                                                              SHA1:E0E6E2C8939008217EB76A3B3282CA75F3DC401A
                                                                                                                                                              SHA-256:99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
                                                                                                                                                              SHA-512:462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
                                                                                                                                                              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (2124)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):121628
                                                                                                                                                              Entropy (8bit):5.506662476672723
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
                                                                                                                                                              MD5:F46ACD807A10216E6EEE8EA51E0F14D6
                                                                                                                                                              SHA1:4702F47070F7046689432DCF605F11364BC0FBED
                                                                                                                                                              SHA-256:D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
                                                                                                                                                              SHA-512:811263DC85C8DAA3A6E5D8A002CCCB953CD01E6A77797109835FE8B07CABE0DEE7EB126274E84266229880A90782B3B016BA034E31F0E3B259BF9E66CA797028
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0"
                                                                                                                                                              Preview:gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x20000, ]);.var ba,ca,da,na,pa,va,wa,za;ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};.da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.ma=da(this);na=function(a,b){if(b)a:{var c=_.ma;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)re
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1136)
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1555
                                                                                                                                                              Entropy (8bit):5.249530958699059
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:hY6svN/6zSU6pedQf3Zvcn1BZdAe1nCr1LTHI5z1sW:3qN/2+pUAew85zf
                                                                                                                                                              MD5:FBE36EB2EECF1B90451A3A72701E49D2
                                                                                                                                                              SHA1:AE56EA57C52D1153CEC33CEF91CF935D2D3AF14D
                                                                                                                                                              SHA-256:E8F2DED5D74C0EE5F427A20B6715E65BC79ED5C4FC67FB00D89005515C8EFE63
                                                                                                                                                              SHA-512:7B1FD6CF34C26AF2436AF61A1DE16C9DBFB4C43579A9499F4852A7848F873BAC15BEEEA6124CF17F46A9F5DD632162364E0EC120ACA5F65E7C5615FF178A248F
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang=en>. <meta charset=utf-8>. <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">. <title>Error 400 (Bad Request)!!1</title>. <style>. *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//ww
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (2956)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):18834
                                                                                                                                                              Entropy (8bit):5.407489764960331
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:aRFPTuu4q5oOTm1j8B0K5WXv/8bU2wnO/mgzI4QSIZ0n9vDBTTY0TXCnh/9Clf9c:a/Tuu4q5oOTLB0K5WXv/8bU2wnO/mgze
                                                                                                                                                              MD5:676CD2F5702D832A1E3E2F08257FEB37
                                                                                                                                                              SHA1:1019B84107A8F84A77A651BDCBE0A7F425DE3661
                                                                                                                                                              SHA-256:F58B6E0D4393A8BB15423EC49867875FB38EB820E0A7D13A7E80F4DCE7EB342E
                                                                                                                                                              SHA-512:FF43FA6A37CE55F660052AE71F9301064638BC6D14F0DE8161E3E4E9C66D7CC5BE72D752540031BFF801228F905DDBA515DFAE15DFC6AAAC0654691C2A0AE365
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQMg/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHuoOol6PGq-lFlTYeoE9lb9o902mQ/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=RqjULd"
                                                                                                                                                              Preview:"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi||{};(function(_){var window=this;.try{._.q("RqjULd");.var sha=function(a){if(_.n&&_.n.performance&&_.n.performance.memory){var b=_.n.performance.memory;if(b){var c=new cF;isNaN(b.jsHeapSizeLimit)||_.ae(c,1,_.Ec(Math.round(b.jsHeapSizeLimit).toString()));isNaN(b.totalJSHeapSize)||_.ae(c,2,_.Ec(Math.round(b.totalJSHeapSize).toString()));isNaN(b.usedJSHeapSize)||_.ae(c,3,_.Ec(Math.round(b.usedJSHeapSize).toString()));_.sk(a,cF,1,c)}}},tha=function(a){if(dF()){var b=performance.getEntriesByType("navigation");if(b&&b.length){var c=new eF;if(b=b[0]){switch(b.type){case "navigate":c.tg(1);.break;case "reload":c.tg(2);break;case "back_forward":c.tg(3);break;case "prerender":c.tg(4);break;default:c.tg(0)}var d=_.Gk(c,2,Math.round(b.startTime));d=_.Gk(d,3,Math.round(b.fetchStart));d=_.Gk(d,4,Math.round(b.domainLookupStart));d=_.Gk(d,5,Math.round(b.domainLookupEnd));d=_.Gk(d,6,Math.round(b.connectStart));d=_.Gk(d,7,Math.ro
                                                                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines (21072)
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):53487
                                                                                                                                                              Entropy (8bit):5.7389274800710295
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:+ImEghhvpu75y1C6kb02aFe04FV6HbWb1wYpIZQzFJ/N4SxkAyvA:RA1CwbW+mI019xovA
                                                                                                                                                              MD5:6CD454A7EC68230B6D021CA33F5D1C9D
                                                                                                                                                              SHA1:DE2D3D027A71FEC4FC9E1E8598D8511526D7BAA0
                                                                                                                                                              SHA-256:AA5809F08CA7433146FC57994CF863787C8E5FBF86C34DC7267E26E010FBDD9F
                                                                                                                                                              SHA-512:0D46D5C49037D0C8DB4069D18F5CCB54E8AFFC9CC7406EB1C60BDF3FBE7647C0A98C0AF7C528675F80871BA0D4ABC88B3DCB4AB3D269ADEE5AEB4337F13BA044
                                                                                                                                                              Malicious:false
                                                                                                                                                              URL:https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en
                                                                                                                                                              Preview:<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><link ref="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/app/so"><link rel="preconnect" href="https://www.gstatic.com"><link rel="preconnect" href="https://ssl.gstatic.com"><script data-id="_gd" nonce="ANFaue5R-ScgTYax3LfSMg">window.WIZ_global_data = {"DpimGf":false,"EP1ykd":["/_/*"],"FdrFJe":"1553026729349046999","Im6cmf":"/_/OneGoogleWidgetUi","LVIXXb":1,"LoQv7e":true,"MT7f9b":[],"NrSucd":false,"OwAJ6e":false,"QrtxK":"","S06Grb":"","S6lZl":128566913,"TSDtV":"%.@.[[null,[[45459555,null,false,null,null,null,\"Imeoqb\"]],\"CAMSEx0W2eicEJbkAdysuBIIgvnaBgg\\u003d\"]]]","Vvafkd":false,"Yllh3e":"%.@.1714828903450540,174279443,2869475043]","ZwjLXe":243,"cfb2h":"boq_onegooglehttpserver_20240430.01_p1","eptZe":"/_/OneGoogleWidgetUi/","fPDxwd":[48691166,48802160,93880156,97517170],"gGcLoe":false,"nQyAE":{},"qwAQke":"OneGoogle
                                                                                                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):3773
                                                                                                                                                              Entropy (8bit):4.7109073551842435
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                              MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                              SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                              SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                              SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Entropy (8bit):6.644490421223367
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                              File name:OgcktrbHkI.exe
                                                                                                                                                              File size:334'336 bytes
                                                                                                                                                              MD5:35f519000ad078d242c0bce097c59b31
                                                                                                                                                              SHA1:41a3c859c36a4240a51e6ce17ab269e8d2728eb0
                                                                                                                                                              SHA256:1dc79692db8709e88fee042c5555f8432dc4638442887d8150b8b7c67f5f3eb2
                                                                                                                                                              SHA512:260f2efe4757c518f96269ba3a3fd5b5c603fa6a52d9c0d976222158609911004ce48df4e75298c11de67ea29d91969f217986e4c0f1b83bb2f5d2a43a772997
                                                                                                                                                              SSDEEP:3072:KLTZ5XJKQsp6NU4tqwCyc40r+oeHpmCR54kDSWegJSVE+Er20L4fdoiKuIov5QId:KbCt44p40rqHPbDb86r2LiNovrb/a
                                                                                                                                                              TLSH:53645A83E3D17D51E5268B32AE1F86E4366DF9618E1D7B2F722CAA1F14700B1C263B51
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r.....................................................?g..............?g......Rich....................PE..L...r..d...........
                                                                                                                                                              Icon Hash:53256551494d710d
                                                                                                                                                              Entrypoint:0x4040e2
                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                              Digitally signed:false
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x6482FD72 [Fri Jun 9 10:22:42 2023 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:5
                                                                                                                                                              OS Version Minor:1
                                                                                                                                                              File Version Major:5
                                                                                                                                                              File Version Minor:1
                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                                              Import Hash:8c46e70ae529243985f9b527b4223811
                                                                                                                                                              Instruction
                                                                                                                                                              call 00007F893D0928E5h
                                                                                                                                                              jmp 00007F893D08D564h
                                                                                                                                                              cmp ecx, dword ptr [00419408h]
                                                                                                                                                              jne 00007F893D08D6E4h
                                                                                                                                                              rep ret
                                                                                                                                                              jmp 00007F893D092E75h
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              sub esp, 20h
                                                                                                                                                              push esi
                                                                                                                                                              push edi
                                                                                                                                                              push 00000008h
                                                                                                                                                              pop ecx
                                                                                                                                                              mov esi, 00413058h
                                                                                                                                                              lea edi, dword ptr [ebp-20h]
                                                                                                                                                              rep movsd
                                                                                                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                              mov edi, dword ptr [ebp+08h]
                                                                                                                                                              test esi, esi
                                                                                                                                                              je 00007F893D08D6F5h
                                                                                                                                                              test byte ptr [esi], 00000010h
                                                                                                                                                              je 00007F893D08D6F0h
                                                                                                                                                              mov ecx, dword ptr [edi]
                                                                                                                                                              sub ecx, 04h
                                                                                                                                                              push ecx
                                                                                                                                                              mov eax, dword ptr [ecx]
                                                                                                                                                              mov esi, dword ptr [eax+18h]
                                                                                                                                                              call dword ptr [eax+20h]
                                                                                                                                                              mov dword ptr [ebp-08h], edi
                                                                                                                                                              mov dword ptr [ebp-04h], esi
                                                                                                                                                              test esi, esi
                                                                                                                                                              je 00007F893D08D6EEh
                                                                                                                                                              test byte ptr [esi], 00000008h
                                                                                                                                                              je 00007F893D08D6E9h
                                                                                                                                                              mov dword ptr [ebp-0Ch], 01994000h
                                                                                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                              push eax
                                                                                                                                                              push dword ptr [ebp-10h]
                                                                                                                                                              push dword ptr [ebp-1Ch]
                                                                                                                                                              push dword ptr [ebp-20h]
                                                                                                                                                              call dword ptr [004120B8h]
                                                                                                                                                              pop edi
                                                                                                                                                              pop esi
                                                                                                                                                              mov esp, ebp
                                                                                                                                                              pop ebp
                                                                                                                                                              retn 0008h
                                                                                                                                                              push eax
                                                                                                                                                              push dword ptr fs:[00000000h]
                                                                                                                                                              lea eax, dword ptr [esp+0Ch]
                                                                                                                                                              sub esp, dword ptr [esp+0Ch]
                                                                                                                                                              push ebx
                                                                                                                                                              push esi
                                                                                                                                                              push edi
                                                                                                                                                              mov dword ptr [eax], ebp
                                                                                                                                                              mov ebp, eax
                                                                                                                                                              mov eax, dword ptr [00419408h]
                                                                                                                                                              xor eax, ebp
                                                                                                                                                              push eax
                                                                                                                                                              mov dword ptr [ebp-10h], esp
                                                                                                                                                              push dword ptr [ebp-04h]
                                                                                                                                                              mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                              mov dword ptr fs:[00000000h], eax
                                                                                                                                                              ret
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              push esi
                                                                                                                                                              cld
                                                                                                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                              mov ecx, dword ptr [esi+08h]
                                                                                                                                                              xor ecx, esi
                                                                                                                                                              call 00007F893D08D62Bh
                                                                                                                                                              push 00000000h
                                                                                                                                                              push esi
                                                                                                                                                              Programming Language:
                                                                                                                                                              • [ASM] VS2013 build 21005
                                                                                                                                                              • [ C ] VS2013 build 21005
                                                                                                                                                              • [C++] VS2013 build 21005
                                                                                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                                                                                              • [RES] VS2013 build 21005
                                                                                                                                                              • [LNK] VS2013 UPD5 build 40629
                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x184e40x3c.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x15f80000x22d30.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x185200x1c.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x179b80x40.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x120000x188.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x10000x10c650x10e00ca2ae006464ad4dd687d4cdac0431d31False0.6018807870370371data6.696247910531625IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .rdata0x120000x6db80x6e00b527d95631608a07ca0f092f718a1ae6False0.3915127840909091data4.749698531330876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .data0x190000x15de6c00x16c009c9c168a9495ea7819ef496b9e57a22dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rsrc0x15f80000x22d300x22e0070695cd905c427d7b1b95218c3fbb214False0.45000980062724016data5.271554303929021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_CURSOR0x1617ca80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                                                                                              RT_CURSOR0x1618b500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                                                                                              RT_CURSOR0x16193f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                                                                                              RT_ICON0x15f8a900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3696695095948827
                                                                                                                                                              RT_ICON0x15f99380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.45938628158844763
                                                                                                                                                              RT_ICON0x15fa1e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.45564516129032256
                                                                                                                                                              RT_ICON0x15fa8a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.45447976878612717
                                                                                                                                                              RT_ICON0x15fae100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2687759336099585
                                                                                                                                                              RT_ICON0x15fd3b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.3062851782363977
                                                                                                                                                              RT_ICON0x15fe4600x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.35815602836879434
                                                                                                                                                              RT_ICON0x15fe9300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.56636460554371
                                                                                                                                                              RT_ICON0x15ff7d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5473826714801444
                                                                                                                                                              RT_ICON0x16000800x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.6170520231213873
                                                                                                                                                              RT_ICON0x16005e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4628630705394191
                                                                                                                                                              RT_ICON0x1602b900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.48827392120075047
                                                                                                                                                              RT_ICON0x1603c380x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.49631147540983606
                                                                                                                                                              RT_ICON0x16045c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.449468085106383
                                                                                                                                                              RT_ICON0x1604a900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.4256396588486141
                                                                                                                                                              RT_ICON0x16059380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4927797833935018
                                                                                                                                                              RT_ICON0x16061e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5921658986175116
                                                                                                                                                              RT_ICON0x16068a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5180635838150289
                                                                                                                                                              RT_ICON0x1606e100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.46856846473029046
                                                                                                                                                              RT_ICON0x16093b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4821763602251407
                                                                                                                                                              RT_ICON0x160a4600x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.48565573770491804
                                                                                                                                                              RT_ICON0x160ade80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.5212765957446809
                                                                                                                                                              RT_ICON0x160b2c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.49173773987206826
                                                                                                                                                              RT_ICON0x160c1700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4684115523465704
                                                                                                                                                              RT_ICON0x160ca180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.440028901734104
                                                                                                                                                              RT_ICON0x160cf800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2794605809128631
                                                                                                                                                              RT_ICON0x160f5280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2879924953095685
                                                                                                                                                              RT_ICON0x16105d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.3061475409836066
                                                                                                                                                              RT_ICON0x1610f580x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.33156028368794327
                                                                                                                                                              RT_ICON0x16114280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4107142857142857
                                                                                                                                                              RT_ICON0x16122d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.5947653429602888
                                                                                                                                                              RT_ICON0x1612b780x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6509216589861752
                                                                                                                                                              RT_ICON0x16132400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.6329479768786127
                                                                                                                                                              RT_ICON0x16137a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5797717842323652
                                                                                                                                                              RT_ICON0x1615d500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6186679174484052
                                                                                                                                                              RT_ICON0x1616df80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.589344262295082
                                                                                                                                                              RT_ICON0x16177800x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6835106382978723
                                                                                                                                                              RT_DIALOG0x1619c180x5adata0.8666666666666667
                                                                                                                                                              RT_STRING0x1619c780x4b2data0.44342762063227953
                                                                                                                                                              RT_STRING0x161a1300x56adata0.4379509379509379
                                                                                                                                                              RT_STRING0x161a6a00x68edata0.4237187127532777
                                                                                                                                                              RT_ACCELERATOR0x1617c600x48data0.8333333333333334
                                                                                                                                                              RT_GROUP_CURSOR0x16199600x30data0.9375
                                                                                                                                                              RT_GROUP_ICON0x1604a280x68data0.7019230769230769
                                                                                                                                                              RT_GROUP_ICON0x15fe8c80x68data0.6826923076923077
                                                                                                                                                              RT_GROUP_ICON0x160b2500x76data0.6779661016949152
                                                                                                                                                              RT_GROUP_ICON0x1617be80x76data0.6694915254237288
                                                                                                                                                              RT_GROUP_ICON0x16113c00x68data0.7211538461538461
                                                                                                                                                              RT_VERSION0x16199900x284data0.5295031055900621
                                                                                                                                                              DLLImport
                                                                                                                                                              KERNEL32.dllGlobalMemoryStatus, SetComputerNameExA, CommConfigDialogA, LoadLibraryExW, InterlockedIncrement, GetConsoleAliasA, InterlockedDecrement, GetComputerNameW, BackupSeek, GetModuleHandleW, GetWindowsDirectoryA, EnumTimeFormatsA, SetCommState, GlobalAlloc, GetSystemDirectoryW, GlobalFindAtomA, LoadLibraryW, GetLocaleInfoW, CreateEventA, GetACP, GetConsoleOutputCP, GetLastError, SetLastError, GetProcAddress, LockFileEx, SetComputerNameA, SetFileAttributesA, BuildCommDCBW, WriteConsoleA, CreateHardLinkW, SetConsoleCtrlHandler, AddAtomA, GetModuleFileNameA, VirtualProtect, GetVersionExA, ReadConsoleInputW, GetCurrentProcessId, GetTempPathA, GetVolumeInformationW, LocalFileTimeToFileTime, CloseHandle, WriteConsoleW, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineW, RaiseException, RtlUnwind, HeapFree, HeapAlloc, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, ReadFile, GetConsoleMode, ReadConsoleW, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, SetFilePointerEx, GetCurrentThreadId, GetProcessHeap, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, IsValidCodePage, GetOEMCP, GetCPInfo, HeapReAlloc, SetStdHandle, LCMapStringW, GetConsoleCP, FlushFileBuffers, OutputDebugStringW, GetStringTypeW, CreateFileW
                                                                                                                                                              USER32.dllChangeMenuA
                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 4, 2024 15:20:50.803286076 CEST49678443192.168.2.4104.46.162.224
                                                                                                                                                              May 4, 2024 15:20:50.975805044 CEST49675443192.168.2.4173.222.162.32
                                                                                                                                                              May 4, 2024 15:20:59.840543032 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.840572119 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.840624094 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841167927 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841176987 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.841227055 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841358900 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841387033 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.841434956 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841698885 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.841726065 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.841777086 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.844533920 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.844551086 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.844913960 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.844923973 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.845298052 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.845305920 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.845685005 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:20:59.845700979 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.156265020 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.159094095 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.160001040 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.160922050 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.273819923 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.289328098 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.289331913 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.289391041 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.588893890 CEST49675443192.168.2.4173.222.162.32
                                                                                                                                                              May 4, 2024 15:21:00.751188040 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.751214027 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.752995014 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.753004074 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.753051996 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.797452927 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.797468901 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.798654079 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.798665047 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.798718929 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.846596956 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.846615076 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.847564936 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.847592115 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.847635031 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.894514084 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:00.894536972 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.895486116 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.895498037 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:00.895550966 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.088009119 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.088176012 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.093605995 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.093703985 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.096170902 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.096235037 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.097778082 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.097795010 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.099266052 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.099332094 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.100251913 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.100263119 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.101059914 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.101069927 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.101692915 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.101710081 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.193092108 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.193108082 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.193114042 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.259799004 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.273360968 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.273488045 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.273540974 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.275028944 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.275098085 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.275125027 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.275135040 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.275156021 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.275192976 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.277451992 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.277606010 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.277643919 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.278358936 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.278979063 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.279021025 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.286144018 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286192894 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286225080 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.286231041 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286278009 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286309958 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.286313057 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286365986 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.286397934 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.286401033 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.296487093 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.296530962 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.296534061 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.306653976 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.306740999 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.306746960 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.311945915 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.312004089 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.312006950 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.380583048 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.380592108 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.435518026 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.435578108 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.435583115 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.440886021 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.440942049 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.440946102 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.451138020 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.451184034 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.451186895 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.463265896 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.463310957 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.463315010 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.473836899 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.473896980 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.473900080 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.483197927 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.483253002 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.483257055 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.492229939 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.492276907 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.492280006 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.501364946 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.501420975 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.501425028 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.510776043 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.510848045 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.510850906 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.520215034 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.520266056 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.520268917 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.529644012 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.529695988 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.529697895 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.548505068 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.548554897 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.548557997 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.553236008 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.553283930 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.553286076 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.579363108 CEST49733443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.579380989 CEST44349733142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.586968899 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.587008953 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.587013006 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.590413094 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.590451956 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.590455055 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.597660065 CEST49736443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.597686052 CEST44349736142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.597925901 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.597964048 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.597966909 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.605210066 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.605247021 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.605251074 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.607749939 CEST49734443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.607759953 CEST44349734142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.612076998 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.612118006 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.612121105 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.618951082 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.618987083 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.618989944 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.625843048 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.625883102 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.625885010 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.632689953 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.632730961 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.632734060 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.639538050 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.639581919 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.639585972 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.646375895 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.646420956 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.646424055 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.653261900 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.653301001 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.653302908 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.663568974 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.663602114 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.663604975 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.670398951 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.670433044 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.670435905 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.677290916 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.677329063 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.677333117 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.677340031 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.677375078 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.684192896 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.691019058 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.691051006 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.691055059 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.697904110 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.697937012 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.697940111 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.704574108 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.704606056 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.704607964 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.710882902 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.710912943 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.710916042 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.717206001 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.717247963 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.717250109 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.723238945 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.723268986 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.723272085 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.729161024 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.729195118 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.729202986 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.729207993 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.729243994 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.735122919 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.741141081 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.741183996 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.741189003 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.744177103 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.744220018 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.744223118 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.750116110 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.750158072 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.750159979 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.756131887 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.756174088 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.756175995 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.759845018 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.759886026 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.759887934 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.763510942 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.763555050 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.763557911 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.767170906 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.767218113 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.767220974 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.770838022 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.770881891 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.770884037 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.774375916 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.774421930 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.774424076 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.777911901 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.777954102 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.777956963 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.781440020 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.781476974 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.781478882 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.784919977 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.784964085 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.784966946 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.788310051 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.788345098 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.788347960 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.788443089 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.788479090 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.788764954 CEST49735443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:01.788774967 CEST44349735142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:02.945353985 CEST4974325192.168.2.4104.47.53.36
                                                                                                                                                              May 4, 2024 15:21:03.366069078 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.366136074 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.366229057 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.366419077 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.366451979 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.668523073 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:03.668544054 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.668772936 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:03.668992996 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:03.669006109 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.679744005 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.685674906 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.685689926 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.686547041 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.686616898 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.755160093 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.755223036 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.755249023 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.800121069 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.818067074 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.818073988 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.865001917 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.974328995 CEST4974325192.168.2.4104.47.53.36
                                                                                                                                                              May 4, 2024 15:21:03.978516102 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983496904 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983542919 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983575106 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983587980 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.983596087 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983623981 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.983643055 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.983648062 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.986278057 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.986284018 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.993876934 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.995273113 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:03.995279074 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.004391909 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.007379055 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.007384062 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.014842987 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.019366980 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.019372940 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.036741972 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:04.083607912 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.083612919 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.130477905 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.133053064 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.138201952 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.138230085 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.138369083 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.138375998 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.138421059 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.148663044 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.159275055 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.159301043 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.159343958 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.159352064 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.159502983 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.169616938 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.180119038 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.180136919 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.180282116 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.180289030 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.180334091 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.190567970 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.200284004 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.200313091 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.200458050 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.200465918 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.200522900 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.210134983 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.219794989 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.219818115 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.219973087 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.219979048 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.220024109 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.229548931 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.241556883 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.241588116 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.241730928 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.241738081 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.241802931 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.249039888 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.263051033 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.263098001 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.263251066 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.263257027 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.263302088 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.284926891 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.287302017 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.287333965 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.287473917 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.287482023 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.287524939 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.296026945 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.304402113 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.304433107 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.304483891 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.304490089 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.304651022 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.312494040 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.320429087 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.320456028 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.320611954 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.320617914 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.320664883 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.327651024 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.335490942 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.335525036 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.335575104 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.335582018 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.335743904 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.344743967 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.352649927 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.352679014 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.352824926 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.352832079 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.352873087 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.359167099 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.363027096 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.367275000 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.367280960 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.370635986 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.373399973 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.373405933 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.378288031 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.379275084 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.379281044 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.385056973 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.385112047 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.385117054 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.391838074 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.394300938 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.394306898 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.398703098 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.403295994 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.403301954 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.405220985 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.406402111 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.406408072 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.411561966 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.411612034 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.411617994 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.423572063 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.423604965 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.423772097 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.423779011 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.423826933 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.429591894 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.435523987 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.435575962 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.435713053 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.435720921 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.435764074 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.441288948 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.444256067 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.445274115 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.445280075 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.450052023 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.451384068 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.451390028 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.453712940 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.454282999 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.454288006 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.457329035 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.460946083 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.460974932 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.460992098 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.460999012 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.461020947 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.464551926 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.464613914 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.464656115 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.859121084 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.859457970 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:04.859477997 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.859858990 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.860547066 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:04.860604048 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.895205975 CEST49744443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:21:04.895216942 CEST44349744142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:04.911470890 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:05.974586964 CEST4974325192.168.2.4104.47.53.36
                                                                                                                                                              May 4, 2024 15:21:06.000761986 CEST49748443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:06.000782013 CEST44349748109.107.161.150192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:06.000869036 CEST49748443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:09.990716934 CEST4974325192.168.2.4104.47.53.36
                                                                                                                                                              May 4, 2024 15:21:12.971812963 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:12.971841097 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:12.971915007 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:12.972873926 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:12.972887993 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.526290894 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.526365042 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:13.528765917 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:13.528774977 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.528978109 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.736123085 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.736174107 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:13.996234894 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.996293068 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:13.996361971 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:14.053172112 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.096117973 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.115614891 CEST49745443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:21:14.115629911 CEST44349745142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413738966 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413757086 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413769960 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413810968 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.413822889 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413835049 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.413836956 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413861990 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.413867950 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413880110 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.413949013 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.413986921 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.746140957 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.746151924 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:14.746182919 CEST49751443192.168.2.420.114.59.183
                                                                                                                                                              May 4, 2024 15:21:14.746187925 CEST4434975120.114.59.183192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:17.991318941 CEST4974325192.168.2.4104.47.53.36
                                                                                                                                                              May 4, 2024 15:21:23.260438919 CEST4975725192.168.2.467.195.228.110
                                                                                                                                                              May 4, 2024 15:21:24.271121979 CEST4975725192.168.2.467.195.228.110
                                                                                                                                                              May 4, 2024 15:21:26.270936966 CEST4975725192.168.2.467.195.228.110
                                                                                                                                                              May 4, 2024 15:21:30.286809921 CEST4975725192.168.2.467.195.228.110
                                                                                                                                                              May 4, 2024 15:21:38.302359104 CEST4975725192.168.2.467.195.228.110
                                                                                                                                                              May 4, 2024 15:21:42.865564108 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:42.865592003 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:42.865664959 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:42.865910053 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:42.865923882 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.174560070 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.174823999 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.174834967 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.175139904 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.175199986 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.175755024 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.175806046 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.180577993 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.180634975 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.180733919 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.180741072 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.225277901 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.569185972 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.569204092 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.569272041 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.569284916 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.579473972 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.579540014 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.579546928 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.580976963 CEST4975925192.168.2.474.125.137.26
                                                                                                                                                              May 4, 2024 15:21:43.590049028 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.590116978 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.590123892 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.600502968 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.600562096 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.600568056 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.610980034 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.611031055 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.611037016 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.621459961 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.621512890 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.621517897 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.631952047 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.632000923 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.632006884 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.677205086 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.718463898 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.718511105 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.723653078 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.723710060 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.734138966 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.734206915 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.744653940 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.744728088 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.755121946 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.755182981 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.765577078 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.765631914 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.776082039 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.776129961 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.776134968 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.776160955 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.776221991 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.776227951 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.786556005 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.786624908 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.786631107 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.797063112 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.797120094 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.797126055 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.811785936 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.811811924 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.811850071 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.811856985 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.811892986 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.821126938 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.830460072 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.830485106 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.830529928 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.830537081 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.830579996 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.839829922 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849144936 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849172115 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849208117 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.849212885 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849255085 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.849260092 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849280119 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.849335909 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.849517107 CEST49758443192.168.2.4142.250.72.174
                                                                                                                                                              May 4, 2024 15:21:43.849524021 CEST44349758142.250.72.174192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:44.583539009 CEST4975925192.168.2.474.125.137.26
                                                                                                                                                              May 4, 2024 15:21:46.005501032 CEST49748443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:46.005558014 CEST44349748109.107.161.150192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:46.005614996 CEST49748443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:46.115487099 CEST49765443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:46.115493059 CEST44349765109.107.161.150192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:46.115555048 CEST49765443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:21:46.593939066 CEST4975925192.168.2.474.125.137.26
                                                                                                                                                              May 4, 2024 15:21:50.598898888 CEST4975925192.168.2.474.125.137.26
                                                                                                                                                              May 4, 2024 15:21:51.345231056 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:51.345257998 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:51.345340967 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:51.345741987 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:51.345755100 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:52.238426924 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:52.238495111 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:52.242914915 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:52.242923021 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:52.243160963 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:52.251466036 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:52.292120934 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.120028019 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.120049000 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.120106936 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.120235920 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:53.120261908 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.120332956 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:53.127206087 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:53.127223969 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:53.127239943 CEST49770443192.168.2.440.68.123.157
                                                                                                                                                              May 4, 2024 15:21:53.127244949 CEST4434977040.68.123.157192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:58.598862886 CEST4975925192.168.2.474.125.137.26
                                                                                                                                                              May 4, 2024 15:22:03.725330114 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:03.725356102 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:03.725461006 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:03.725675106 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:03.725687981 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:03.886938095 CEST4977325192.168.2.4217.69.139.150
                                                                                                                                                              May 4, 2024 15:22:04.033154011 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:04.033446074 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:04.033453941 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:04.033735037 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:04.034164906 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:04.034225941 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:04.083364964 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:04.895889997 CEST4977325192.168.2.4217.69.139.150
                                                                                                                                                              May 4, 2024 15:22:06.895875931 CEST4977325192.168.2.4217.69.139.150
                                                                                                                                                              May 4, 2024 15:22:09.740679979 CEST4972380192.168.2.423.206.229.76
                                                                                                                                                              May 4, 2024 15:22:09.740685940 CEST4972480192.168.2.423.206.229.76
                                                                                                                                                              May 4, 2024 15:22:09.890600920 CEST804972423.206.229.76192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:09.890760899 CEST4972480192.168.2.423.206.229.76
                                                                                                                                                              May 4, 2024 15:22:09.890806913 CEST804972323.206.229.76192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:09.890857935 CEST4972380192.168.2.423.206.229.76
                                                                                                                                                              May 4, 2024 15:22:10.896810055 CEST4977325192.168.2.4217.69.139.150
                                                                                                                                                              May 4, 2024 15:22:14.032886028 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:14.032946110 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:14.033093929 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:14.425909042 CEST49772443192.168.2.4142.250.217.132
                                                                                                                                                              May 4, 2024 15:22:14.425924063 CEST44349772142.250.217.132192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:17.157304049 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:17.157363892 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:17.157460928 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:17.157691002 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:17.157697916 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:17.471966982 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:17.521872044 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.311526060 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.311547995 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.311970949 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.312033892 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.312587976 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.312648058 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.314632893 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.314692974 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.314930916 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.314939022 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.370073080 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.471287012 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.471354008 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.471402884 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.471903086 CEST49774443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.471931934 CEST44349774142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.472887039 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.472923994 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.472984076 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.473356009 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.473371029 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.783845901 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.786875010 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.786887884 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.787214994 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.787277937 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.787815094 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.787864923 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.787976027 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.788033009 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.788120031 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.788132906 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.788146973 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.835338116 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:18.835345984 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:18.912066936 CEST4977325192.168.2.4217.69.139.150
                                                                                                                                                              May 4, 2024 15:22:19.117588043 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.117707014 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.117841959 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:19.120457888 CEST49775443192.168.2.4142.250.189.14
                                                                                                                                                              May 4, 2024 15:22:19.120479107 CEST44349775142.250.189.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.278431892 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.278455973 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.278575897 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.279284954 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.279298067 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.587614059 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.587857008 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.587867975 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.588187933 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.588237047 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.588792086 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.588835955 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.588962078 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.589011908 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.589121103 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.589127064 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.630793095 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.898260117 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.898282051 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.898364067 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.898374081 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.899993896 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:19.900024891 CEST44349776142.250.176.14192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.900084972 CEST49776443192.168.2.4142.250.176.14
                                                                                                                                                              May 4, 2024 15:22:26.130115032 CEST49765443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:22:26.130188942 CEST44349765109.107.161.150192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:26.130253077 CEST49765443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:22:26.240277052 CEST49777443192.168.2.4109.107.161.150
                                                                                                                                                              May 4, 2024 15:22:26.240317106 CEST44349777109.107.161.150192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:26.240402937 CEST49777443192.168.2.4109.107.161.150
                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 4, 2024 15:20:59.688174963 CEST5921653192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:20:59.688174963 CEST6111653192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:20:59.760735989 CEST53532121.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.811029911 CEST53518261.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.839366913 CEST53611161.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:20:59.839405060 CEST53592161.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:01.753509045 CEST53634181.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:02.037156105 CEST53613911.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:02.709583044 CEST5728753192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:02.944638968 CEST53572871.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.210967064 CEST4956653192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:03.211328983 CEST5095253192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:03.361237049 CEST53495661.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:03.363080978 CEST53509521.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:05.197182894 CEST6439253192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:06.000072956 CEST53643921.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:19.764558077 CEST53518601.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:21.338567019 CEST138138192.168.2.4192.168.2.255
                                                                                                                                                              May 4, 2024 15:21:22.958383083 CEST6466353192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:23.108664036 CEST53646631.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:23.109292030 CEST6514153192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST53651411.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:38.625904083 CEST53597341.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:42.713696957 CEST5084853192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:42.713850021 CEST6198653192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:42.864095926 CEST53508481.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:42.865144014 CEST53619861.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.271225929 CEST5544053192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:43.423000097 CEST53554401.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.423614979 CEST5469753192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST53546971.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:43.733818054 CEST53507511.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:45.001261950 CEST53575481.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:46.302423954 CEST53619851.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:21:59.235908031 CEST53565101.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:01.313009977 CEST53575521.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:03.583894968 CEST5952253192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:03.734599113 CEST53595221.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:03.735274076 CEST6234653192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:03.886388063 CEST53623461.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:16.987966061 CEST5087253192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:16.988145113 CEST6527553192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:17.139319897 CEST53508721.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:17.139729023 CEST53652751.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.126493931 CEST6537953192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:19.126653910 CEST5281453192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:19.276923895 CEST53653791.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:19.277420044 CEST53528141.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:27.676461935 CEST53643141.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:22:42.647651911 CEST5308753192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:22:42.982033014 CEST53530871.1.1.1192.168.2.4
                                                                                                                                                              May 4, 2024 15:23:01.066675901 CEST6056153192.168.2.41.1.1.1
                                                                                                                                                              May 4, 2024 15:23:01.300811052 CEST53605611.1.1.1192.168.2.4
                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              May 4, 2024 15:20:59.688174963 CEST192.168.2.41.1.1.10xb0e1Standard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:20:59.688174963 CEST192.168.2.41.1.1.10x9286Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:02.709583044 CEST192.168.2.41.1.1.10xc17cStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:03.210967064 CEST192.168.2.41.1.1.10x9910Standard query (0)apis.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:03.211328983 CEST192.168.2.41.1.1.10xb03bStandard query (0)apis.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:05.197182894 CEST192.168.2.41.1.1.10x4ea6Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:22.958383083 CEST192.168.2.41.1.1.10x813Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.109292030 CEST192.168.2.41.1.1.10x58f3Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:42.713696957 CEST192.168.2.41.1.1.10xfb6cStandard query (0)ogs.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:42.713850021 CEST192.168.2.41.1.1.10x64e1Standard query (0)ogs.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.271225929 CEST192.168.2.41.1.1.10xe8e4Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.423614979 CEST192.168.2.41.1.1.10x35a6Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:03.583894968 CEST192.168.2.41.1.1.10x674dStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:03.735274076 CEST192.168.2.41.1.1.10x6ea6Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:16.987966061 CEST192.168.2.41.1.1.10xce6dStandard query (0)play.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:16.988145113 CEST192.168.2.41.1.1.10xcc61Standard query (0)play.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:19.126493931 CEST192.168.2.41.1.1.10x87Standard query (0)play.google.comA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:19.126653910 CEST192.168.2.41.1.1.10x7a10Standard query (0)play.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:42.647651911 CEST192.168.2.41.1.1.10xdf35Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:23:01.066675901 CEST192.168.2.41.1.1.10x6152Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              May 4, 2024 15:20:59.839366913 CEST1.1.1.1192.168.2.40x9286No error (0)www.google.com142.250.217.132A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:20:59.839405060 CEST1.1.1.1192.168.2.40xb0e1No error (0)www.google.com65IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:02.944638968 CEST1.1.1.1192.168.2.40xc17cNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:02.944638968 CEST1.1.1.1192.168.2.40xc17cNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:03.361237049 CEST1.1.1.1192.168.2.40x9910No error (0)apis.google.complus.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:03.361237049 CEST1.1.1.1192.168.2.40x9910No error (0)plus.l.google.com142.250.176.14A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:03.363080978 CEST1.1.1.1192.168.2.40xb03bNo error (0)apis.google.complus.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:06.000072956 CEST1.1.1.1192.168.2.40x4ea6No error (0)vanaheim.cn109.107.161.150A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.108664036 CEST1.1.1.1192.168.2.40x813No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.108664036 CEST1.1.1.1192.168.2.40x813No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.108664036 CEST1.1.1.1192.168.2.40x813No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:23.259823084 CEST1.1.1.1192.168.2.40x58f3No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:42.864095926 CEST1.1.1.1192.168.2.40xfb6cNo error (0)ogs.google.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:42.864095926 CEST1.1.1.1192.168.2.40xfb6cNo error (0)www3.l.google.com142.250.72.174A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:42.865144014 CEST1.1.1.1192.168.2.40x64e1No error (0)ogs.google.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.423000097 CEST1.1.1.1192.168.2.40xe8e4No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST1.1.1.1192.168.2.40x35a6No error (0)smtp.google.com74.125.137.26A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST1.1.1.1192.168.2.40x35a6No error (0)smtp.google.com142.251.2.26A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST1.1.1.1192.168.2.40x35a6No error (0)smtp.google.com74.125.137.27A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST1.1.1.1192.168.2.40x35a6No error (0)smtp.google.com142.250.141.27A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:21:43.574397087 CEST1.1.1.1192.168.2.40x35a6No error (0)smtp.google.com142.250.101.27A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:03.734599113 CEST1.1.1.1192.168.2.40x674dNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:03.886388063 CEST1.1.1.1192.168.2.40x6ea6No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:03.886388063 CEST1.1.1.1192.168.2.40x6ea6No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:17.139319897 CEST1.1.1.1192.168.2.40xce6dNo error (0)play.google.com142.250.189.14A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:19.276923895 CEST1.1.1.1192.168.2.40x87No error (0)play.google.com142.250.176.14A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:42.982033014 CEST1.1.1.1192.168.2.40xdf35No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:22:42.982033014 CEST1.1.1.1192.168.2.40xdf35No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:23:01.300811052 CEST1.1.1.1192.168.2.40x6152No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                              May 4, 2024 15:23:01.300811052 CEST1.1.1.1192.168.2.40x6152No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                              • www.google.com
                                                                                                                                                              • apis.google.com
                                                                                                                                                              • slscr.update.microsoft.com
                                                                                                                                                              • ogs.google.com
                                                                                                                                                              • https:
                                                                                                                                                                • play.google.com
                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449734142.250.217.1324437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:01 UTC607OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                                                                                                              Host: www.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: none
                                                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:01 UTC1283INHTTP/1.1 200 OK
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:01 GMT
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Expires: -1
                                                                                                                                                              Cache-Control: no-cache, must-revalidate
                                                                                                                                                              Content-Type: text/javascript; charset=UTF-8
                                                                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                                                                              Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-a65WkldqaYivDBjQbqaHFg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                                                                                                              Accept-CH: Sec-CH-Viewport-Width
                                                                                                                                                              Accept-CH: Sec-CH-Viewport-Height
                                                                                                                                                              Accept-CH: Sec-CH-DPR
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch
                                                                                                                                                              Accept-CH: Sec-CH-UA-Model
                                                                                                                                                              Accept-CH: Sec-CH-UA-Bitness
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                                                                              Accept-CH: Sec-CH-UA-WoW64
                                                                                                                                                              Permissions-Policy: unload=()
                                                                                                                                                              Content-Disposition: attachment; filename="f.txt"
                                                                                                                                                              Server: gws
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:21:01 UTC884INData Raw: 33 36 64 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 70 69 74 74 73 62 75 72 67 68 20 6f 61 6b 6c 61 6e 64 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 20 61 63 63 69 64 65 6e 74 22 2c 22 66 61 6c 6c 20 67 75 79 20 6d 6f 76 69 65 20 72 79 61 6e 20 67 6f 73 6c 69 6e 67 22 2c 22 31 32 20 63 69 6c 69 6e 64 72 69 20 66 65 72 72 61 72 69 22 2c 22 72 65 64 20 6c 6f 62 73 74 65 72 20 65 6e 64 6c 65 73 73 20 73 68 72 69 6d 70 22 2c 22 68 61 72 70 65 72 20 6d 75 72 72 61 79 20 6e 65 62 72 61 73 6b 61 20 76 6f 6c 6c 65 79 62 61 6c 6c 22 2c 22 68 61 77 6c 65 79 20 74 65 78 61 73 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 64 75 61 20 6c 69 70 61 20 61 6c 62 75 6d 20 72 65 76 69 65 77 22 2c 22 73 6f 6e 79 20 70 73 6e 20 61 63 63 6f 75 6e 74 20 68 65 6c 6c 64 69 76 65 72 73 22 5d 2c
                                                                                                                                                              Data Ascii: 36d)]}'["",["pittsburgh oakland construction accident","fall guy movie ryan gosling","12 cilindri ferrari","red lobster endless shrimp","harper murray nebraska volleyball","hawley texas tornadoes","dua lipa album review","sony psn account helldivers"],
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 39 30 37 0d 0a 51 6b 6c 6e 51 55 4e 46 55 55 56 45 52 56 46 49 4c 33 68 42 51 57 4a 42 51 55 46 44 51 58 64 46 51 6b 46 52 51 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 56 43 55 55 6c 45 51 6d 64 6a 51 55 46 6d 4c 30 56 42 52 47 4e 52 51 55 46 46 52 45 46 6e 55 55 4e 43 64 31 6c 46 51 6e 64 42 51 55 46 42 51 55 46 42 51 55 56 44 51 58 68 46 51 55 4a 42 56 56 4e 4a 56 45 56 48 52 58 6c 4b 51 6c 56 58 52 6e 68 76 5a 45 5a 35 5a 31 6c 4c 55 6e 4e 6a 52 56 56 4a 65 6b 70 44 51 6e 68 56 56 30 30 77 55 6c 4e 76 64 69 39 46 51 55 4a 6e 51 6b 46 42 54 55 4a 42 55 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 30 46 33 55 55 49 76 4f 46 46 42 53 48 68 46 51 6b 46 42 52 55 52 43 55 55 56 43 51 55 46 42 51 55 46 42 51 55 46 42 51 55
                                                                                                                                                              Data Ascii: 907QklnQUNFUUVERVFIL3hBQWJBQUFDQXdFQkFRQUFBQUFBQUFBQUFBQUVCUUlEQmdjQUFmL0VBRGNRQUFFREFnUUNCd1lFQndBQUFBQUFBQUVDQXhFQUJBVVNJVEVHRXlKQlVXRnhvZEZ5Z1lLUnNjRVVJekpDQnhVV00wUlNvdi9FQUJnQkFBTUJBUUFBQUFBQUFBQUFBQUFBQUFBQ0F3UUIvOFFBSHhFQkFBRURCUUVCQUFBQUFBQUFBQU
                                                                                                                                                              2024-05-04 13:21:01 UTC1063INData Raw: 70 4c 57 6b 63 30 4e 6e 46 4a 55 54 5a 30 57 55 4e 75 61 55 39 5a 55 6a 42 30 57 6a 46 77 62 57 4a 6a 52 47 46 76 62 48 4e 71 5a 45 6c 51 61 57 31 6f 63 45 64 4f 64 55 30 78 4d 6b 5a 59 59 6c 52 57 64 47 78 56 4e 45 4a 30 54 53 74 35 53 7a 6c 6b 57 57 64 33 62 54 64 57 54 44 64 5a 53 32 30 79 63 33 4e 78 52 33 59 31 61 47 31 4c 65 55 4e 57 4e 57 52 42 51 31 42 61 54 56 5a 58 4f 46 56 50 52 55 74 58 56 6d 74 6e 55 55 70 50 4d 56 42 4b 53 33 70 76 62 33 56 42 64 45 6c 56 61 32 64 6e 5a 7a 64 48 59 55 5a 34 53 6d 56 68 65 6d 52 54 63 6d 46 43 53 55 35 5a 61 45 59 32 4f 44 42 6f 53 30 56 4d 62 45 6b 79 51 6e 46 54 63 31 68 6c 51 57 68 54 55 57 5a 43 55 6b 5a 6a 56 47 6c 48 57 6d 39 58 64 55 68 4d 62 56 46 44 4b 33 70 49 59 6e 49 32 56 56 63 7a 64 33 5a 6a 53
                                                                                                                                                              Data Ascii: pLWkc0NnFJUTZ0WUNuaU9ZUjB0WjFwbWJjRGFvbHNqZElQaW1ocEdOdU0xMkZYYlRWdGxVNEJ0TSt5SzlkWWd3bTdWTDdZS20yc3NxR3Y1aG1LeUNWNWRBQ1BaTVZXOFVPRUtXVmtnUUpPMVBKS3pvb3VBdElVa2dnZzdHYUZ4SmVhemRTcmFCSU5ZaEY2ODBoS0VMbEkyQnFTc1hlQWhTUWZCUkZjVGlHWm9XdUhMbVFDK3pIYnI2VVczd3ZjS
                                                                                                                                                              2024-05-04 13:21:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              1192.168.2.449733142.250.217.1324437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:01 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                                                                                                              Host: www.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Sec-Fetch-Site: none
                                                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:01 UTC967INHTTP/1.1 200 OK
                                                                                                                                                              Version: 630032337
                                                                                                                                                              Content-Type: application/json; charset=UTF-8
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch
                                                                                                                                                              Accept-CH: Sec-CH-UA-Model
                                                                                                                                                              Accept-CH: Sec-CH-UA-Bitness
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                                                                              Accept-CH: Sec-CH-UA-WoW64
                                                                                                                                                              Permissions-Policy: unload=()
                                                                                                                                                              Content-Disposition: attachment; filename="f.txt"
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:01 GMT
                                                                                                                                                              Server: gws
                                                                                                                                                              Cache-Control: private
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:21:01 UTC25INData Raw: 31 33 0d 0a 29 5d 7d 27 0a 7b 22 64 64 6c 6a 73 6f 6e 22 3a 7b 7d 7d 0d 0a
                                                                                                                                                              Data Ascii: 13)]}'{"ddljson":{}}
                                                                                                                                                              2024-05-04 13:21:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              2192.168.2.449735142.250.217.1324437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:01 UTC510OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                                                                                                                              Host: www.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:01 UTC967INHTTP/1.1 200 OK
                                                                                                                                                              Version: 630032337
                                                                                                                                                              Content-Type: application/json; charset=UTF-8
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch
                                                                                                                                                              Accept-CH: Sec-CH-UA-Model
                                                                                                                                                              Accept-CH: Sec-CH-UA-Bitness
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                                                                              Accept-CH: Sec-CH-UA-WoW64
                                                                                                                                                              Permissions-Policy: unload=()
                                                                                                                                                              Content-Disposition: attachment; filename="f.txt"
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:01 GMT
                                                                                                                                                              Server: gws
                                                                                                                                                              Cache-Control: private
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:21:01 UTC288INData Raw: 32 31 35 63 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 51 61 20 67 62 5f 68 62 20 67 62 5f 54 64 20 67 62 5f 6e 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65
                                                                                                                                                              Data Ascii: 215c)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 72 64 20 67 62 5f 6b 64 20 67 62 5f 78 64 20 67 62 5f 77 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 67 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4f 63 20 67 62 5f 71 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30
                                                                                                                                                              Data Ascii: 03e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u00
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 63 20 67 62 5f 35 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 65 64 20 67 62
                                                                                                                                                              Data Ascii: label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nc gb_5d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_qd gb_ed gb
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 22 67 62 5f 55 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 37 63 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 20 67 62 5f 4b 20 67 62 5f 6a 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 66 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 53 65 61 72 63 68 20 4c 61 62 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 6c 61 62 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 73 6f 75 72 63 65 5c 75 30 30 33 64 6e 74 70 5c 22 20 74
                                                                                                                                                              Data Ascii: "gb_Ud\"\u003e\u003cdiv class\u003d\"gb_7c\"\u003e \u003cdiv class\u003d\"gb_x gb_K gb_j\"\u003e \u003cdiv class\u003d\"gb_f\"\u003e \u003ca class\u003d\"gb_d\" aria-label\u003d\"Search Labs\" href\u003d\"https://labs.google.com/search?source\u003dntp\" t
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 6d 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 5c 75 30 30 33 64 72 68 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 68 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 36 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c
                                                                                                                                                              Data Ascii: m/intl/en/about/products?tab\u003drh\" aria-expanded\u003d\"false\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg class\u003d\"gb_h\" focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M6,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 75 30 30 33 64 5c 22 67 62 5f 36 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 48 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 49 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 38 64 20 67 62 5f 4a 63 20 67 62 5f 36 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 63 20 67 62 5f 35 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c
                                                                                                                                                              Data Ascii: u003d\"gb_6c\"\u003e\u003cdiv class\u003d\"gb_Hc\"\u003e\u003cdiv class\u003d\"gb_Ic\"\u003e\u003ca class\u003d\"gb_8d gb_Jc gb_6d\" aria-label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nc gb_5d\" aria-hidden\u003d\"true\
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 6e 28 29 7b 69 66 28 21 5f 2e 71 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 7c 7c 21 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 61 5c 75 30 30 33 64 21 31 2c 62 5c 75 30 30 33 64 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 7b 7d 2c 5c 22 70 61 73 73 69 76 65 5c 22 2c 7b 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5c 75 30 30 33 64 21 30 7d 7d 29 3b 74 72 79 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 28 29 5c 75 30 30 33 64 5c 75 30 30 33 65 7b 7d 3b 5f 2e 71 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29 3b 5f 2e 71 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29
                                                                                                                                                              Data Ascii: n(){if(!_.q.addEventListener||!Object.defineProperty)return!1;var a\u003d!1,b\u003dObject.defineProperty({},\"passive\",{get:function(){a\u003d!0}});try{const c\u003d()\u003d\u003e{};_.q.addEventListener(\"test\",c,b);_.q.removeEventListener(\"test\",c,b)
                                                                                                                                                              2024-05-04 13:21:01 UTC730INData Raw: 6e 63 74 69 6f 6e 28 61 29 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 61 2e 6c 65 6e 67 74 68 3b 69 66 28 30 5c 75 30 30 33 63 62 29 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 41 72 72 61 79 28 62 29 3b 66 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 5f 2e 75 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 74 64 29 72 65 74 75 72 6e 20 61 2e 69 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 44 5c 22 29 3b 7d 3b 77 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 76 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e
                                                                                                                                                              Data Ascii: nction(a){const b\u003da.length;if(0\u003cb){const c\u003dArray(b);for(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};_.ud\u003dfunction(a){if(a instanceof _.td)return a.i;throw Error(\"D\");};wd\u003dfunction(a){return new vd(b\u003d\u003eb.
                                                                                                                                                              2024-05-04 13:21:01 UTC451INData Raw: 31 62 63 0d 0a 2e 61 70 70 6c 79 28 64 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 61 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 7d 3b 5f 2e 44 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 21 5c 75 30 30 33 64 5c 75 30 30 33 64 5f 2e 6b 62 28 61 2c 62 2c 63 2c 21 31 29 7d 3b 5f 2e 45 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 5f 2e 72 64 28 5f 2e 71 63 28 61 2c 62 29 29 7d 3b 5c 6e 5f 2e 52 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5c 75 30 30 33 64 5f 2e 71 63 28 61 2c 62 29 3b 72 65 74 75 72 6e 20 6e 75 6c 6c 5c 75 30 30 33 64 5c 75 30 30 33 64 61 3f 61 3a 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 61 29 3f 61
                                                                                                                                                              Data Ascii: 1bc.apply(d,arguments);return a.apply(this,d)}};_.Dd\u003dfunction(a,b,c){return void 0!\u003d\u003d_.kb(a,b,c,!1)};_.Ed\u003dfunction(a,b){return _.rd(_.qc(a,b))};\n_.R\u003dfunction(a,b){a\u003d_.qc(a,b);return null\u003d\u003da?a:Number.isFinite(a)?a
                                                                                                                                                              2024-05-04 13:21:01 UTC1255INData Raw: 38 30 30 30 0d 0a 48 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 49 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 5c 75 30 30 33 64 6e 75 6c 6c 2c 63 5c 75 30 30 33 64 5f 2e 71 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 21 63 7c 7c 21 63 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 72 65 74 75 72 6e 20 62 3b 74 72 79 7b 62 5c 75 30 30 33 64 63 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 61 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 48 64 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 48 64 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 48 64 7d 29 7d 63 61 74 63 68 28 64 29 7b 5f 2e 71 2e 63 6f 6e 73 6f 6c 65 5c 75 30 30 32 36 5c 75 30 30 32 36 5f 2e 71 2e 63 6f 6e 73 6f 6c 65 2e 65
                                                                                                                                                              Data Ascii: 8000Hd\u003dfunction(a){return a};_.Id\u003dfunction(a){var b\u003dnull,c\u003d_.q.trustedTypes;if(!c||!c.createPolicy)return b;try{b\u003dc.createPolicy(a,{createHTML:Hd,createScript:Hd,createScriptURL:Hd})}catch(d){_.q.console\u0026\u0026_.q.console.e


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              3192.168.2.449736142.250.217.1324437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:01 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                                                                                                                              Host: www.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:01 UTC922INHTTP/1.1 200 OK
                                                                                                                                                              Version: 630032337
                                                                                                                                                              Content-Type: application/json; charset=UTF-8
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform
                                                                                                                                                              Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch
                                                                                                                                                              Accept-CH: Sec-CH-UA-Model
                                                                                                                                                              Accept-CH: Sec-CH-UA-Bitness
                                                                                                                                                              Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                                                                              Accept-CH: Sec-CH-UA-WoW64
                                                                                                                                                              Permissions-Policy: unload=()
                                                                                                                                                              Content-Disposition: attachment; filename="f.txt"
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:01 GMT
                                                                                                                                                              Server: gws
                                                                                                                                                              Cache-Control: private
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:21:01 UTC35INData Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a
                                                                                                                                                              Data Ascii: 1d)]}'{"update":{"promos":{}}}
                                                                                                                                                              2024-05-04 13:21:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              4192.168.2.449744142.250.176.144437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:03 UTC741OUTGET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1
                                                                                                                                                              Host: apis.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                              sec-ch-ua-mobile: ?0
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              sec-ch-ua-platform: "Windows"
                                                                                                                                                              Accept: */*
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                                                              Sec-Fetch-Dest: script
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:03 UTC916INHTTP/1.1 200 OK
                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                              Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access
                                                                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access"
                                                                                                                                                              Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]}
                                                                                                                                                              Content-Length: 121628
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Server: sffe
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              Date: Tue, 30 Apr 2024 06:53:06 GMT
                                                                                                                                                              Expires: Wed, 30 Apr 2025 06:53:06 GMT
                                                                                                                                                              Cache-Control: public, max-age=31536000
                                                                                                                                                              Last-Modified: Mon, 15 Apr 2024 17:34:54 GMT
                                                                                                                                                              Content-Type: text/javascript; charset=UTF-8
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Age: 368877
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Connection: close
                                                                                                                                                              2024-05-04 13:21:03 UTC339INData Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 30 78 32 30 30 30 30 2c 20 5d 29 3b 0a 76 61 72 20 62 61 2c 63 61 2c 64 61 2c 6e 61 2c 70 61 2c 76 61 2c 77 61 2c 7a 61 3b 62 61 3d 66 75 6e 63
                                                                                                                                                              Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x20000, ]);var ba,ca,da,na,pa,va,wa,za;ba=func
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 7d 7d 3b 63 61 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 3f 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 7c 7c 61 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 29 72 65 74 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c
                                                                                                                                                              Data Ascii: }};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 6f 6e 22 3d 3d 3d 74 79 70 65 6f 66 20 64 26 26 22 66 75 6e 63 74 69 6f 6e 22 21 3d 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 26 26 63 61 28 64 2e 70 72 6f 74 6f 74 79 70 65 2c 61 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 70 61 28 62 61 28 74 68 69 73 29 29 7d 7d 29 7d 72 65 74 75 72 6e 20 61 7d 29 3b 70 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 7b 6e 65 78 74 3a 61 7d 3b 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 5f 2e 75 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 75 6e 64
                                                                                                                                                              Data Ascii: on"===typeof d&&"function"!=typeof d.prototype[a]&&ca(d.prototype,a,{configurable:!0,writable:!0,value:function(){return pa(ba(this))}})}return a});pa=function(a){a={next:a};a[Symbol.iterator]=function(){return this};return a};_.ua=function(a){var b="und
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 2e 50 66 29 7b 74 68 69 73 2e 50 66 3d 5b 5d 3b 76 61 72 20 6b 3d 74 68 69 73 3b 74 68 69 73 2e 74 50 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6b 2e 45 37 28 29 7d 29 7d 74 68 69 73 2e 50 66 2e 70 75 73 68 28 68 29 7d 3b 76 61 72 20 64 3d 5f 2e 6d 61 2e 73 65 74 54 69 6d 65 6f 75 74 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 74 50 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 64 28 68 2c 30 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 45 37 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 3b 74 68 69 73 2e 50 66 26 26 74 68 69 73 2e 50 66 2e 6c 65 6e 67 74 68 3b 29 7b 76 61 72 20 68 3d 74 68 69 73 2e 50 66 3b 74 68 69 73 2e 50 66 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 68 2e 6c 65 6e 67 74 68 3b 2b 2b 6b 29 7b 76 61 72 20 6c 3d 68 5b 6b 5d 3b 68 5b 6b 5d 3d
                                                                                                                                                              Data Ascii: .Pf){this.Pf=[];var k=this;this.tP(function(){k.E7()})}this.Pf.push(h)};var d=_.ma.setTimeout;b.prototype.tP=function(h){d(h,0)};b.prototype.E7=function(){for(;this.Pf&&this.Pf.length;){var h=this.Pf;this.Pf=[];for(var k=0;k<h.length;++k){var l=h[k];h[k]=
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 74 6f 74 79 70 65 2e 6e 65 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 68 3d 74 68 69 73 3b 64 28 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 68 2e 67 63 61 28 29 29 7b 76 61 72 20 6b 3d 5f 2e 6d 61 2e 63 6f 6e 73 6f 6c 65 3b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 6b 26 26 6b 2e 65 72 72 6f 72 28 68 2e 46 66 29 7d 7d 2c 0a 31 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 63 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 68 69 73 2e 73 56 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 68 3d 5f 2e 6d 61 2e 43 75 73 74 6f 6d 45 76 65 6e 74 2c 6b 3d 5f 2e 6d 61 2e 45 76 65 6e 74 2c 6c 3d 5f 2e 6d 61 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 3b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 3d 74 79 70 65 6f 66 20 6c 29 72 65 74
                                                                                                                                                              Data Ascii: totype.nea=function(){var h=this;d(function(){if(h.gca()){var k=_.ma.console;"undefined"!==typeof k&&k.error(h.Ff)}},1)};e.prototype.gca=function(){if(this.sV)return!1;var h=_.ma.CustomEvent,k=_.ma.Event,l=_.ma.dispatchEvent;if("undefined"===typeof l)ret
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 3b 74 68 69 73 2e 73 56 3d 21 30 7d 3b 65 2e 72 65 73 6f 6c 76 65 3d 63 3b 65 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6c 28 68 29 7d 29 7d 3b 65 2e 72 61 63 65 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 66 6f 72 28 76 61 72 20 6d 3d 5f 2e 75 61 28 68 29 2c 6e 3d 6d 2e 6e 65 78 74 28 29 3b 21 6e 2e 64 6f 6e 65 3b 6e 3d 6d 2e 6e 65 78 74 28 29 29 63 28 6e 2e 76 61 6c 75 65 29 2e 42 79 28 6b 2c 6c 29 7d 29 7d 3b 65 2e 61 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 5f 2e 75 61 28 68 29 2c 6c 3d 6b 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 6c 2e 64 6f 6e 65 3f 63
                                                                                                                                                              Data Ascii: ;this.sV=!0};e.resolve=c;e.reject=function(h){return new e(function(k,l){l(h)})};e.race=function(h){return new e(function(k,l){for(var m=_.ua(h),n=m.next();!n.done;n=m.next())c(n.value).By(k,l)})};e.all=function(h){var k=_.ua(h),l=k.next();return l.done?c
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 63 74 2e 73 65 61 6c 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 6c 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6d 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6e 3d 6e 65 77 20 61 28 5b 5b 6c 2c 32 5d 2c 5b 6d 2c 33 5d 5d 29 3b 69 66 28 32 21 3d 6e 2e 67 65 74 28 6c 29 7c 7c 33 21 3d 6e 2e 67 65 74 28 6d 29 29 72 65 74 75 72 6e 21 31 3b 6e 2e 64 65 6c 65 74 65 28 6c 29 3b 6e 2e 73 65 74 28 6d 2c 34 29 3b 72 65 74 75 72 6e 21 6e 2e 68 61 73 28 6c 29 26 26 34 3d 3d 6e 2e 67 65 74 28 6d 29 7d 63 61 74 63 68 28 70 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b
                                                                                                                                                              Data Ascii: ct.seal)return!1;try{var l=Object.seal({}),m=Object.seal({}),n=new a([[l,2],[m,3]]);if(2!=n.get(l)||3!=n.get(m))return!1;n.delete(l);n.set(m,4);return!n.has(l)&&4==n.get(m)}catch(p){return!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");
                                                                                                                                                              2024-05-04 13:21:03 UTC1255INData Raw: 20 62 3d 6e 65 77 20 57 65 61 6b 4d 61 70 2c 63 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 0a 66 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 3b 69 66 28 6b 29 7b 6b 3d 5f 2e 75 61 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6b 3d 30 3d 3d 3d 6b 3f 30 3a 6b 3b 76 61 72 20 6d 3d 64 28 74 68 69 73 2c 6b 29 3b 6d 2e 6c 69 73 74 7c 7c 28 6d 2e 6c 69 73 74 3d 74 68 69 73 5b 30 5d 5b 6d 2e 69 64 5d 3d 5b 5d 29 3b 6d 2e 6e 66 3f 6d 2e 6e 66 2e 76 61 6c 75 65 3d 6c 3a 28 6d
                                                                                                                                                              Data Ascii: b=new WeakMap,c=function(k){this[0]={};this[1]=f();this.size=0;if(k){k=_.ua(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};c.prototype.set=function(k,l){k=0===k?0:k;var m=d(this,k);m.list||(m.list=this[0][m.id]=[]);m.nf?m.nf.value=l:(m
                                                                                                                                                              2024-05-04 13:21:04 UTC1255INData Raw: 6d 3d 62 2e 67 65 74 28 6c 29 3a 28 6d 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6c 2c 6d 29 29 3a 6d 3d 22 70 5f 22 2b 6c 3b 76 61 72 20 6e 3d 6b 5b 30 5d 5b 6d 5d 3b 69 66 28 6e 26 26 76 61 28 6b 5b 30 5d 2c 6d 29 29 66 6f 72 28 6b 3d 30 3b 6b 3c 6e 2e 6c 65 6e 67 74 68 3b 6b 2b 2b 29 7b 76 61 72 20 70 3d 6e 5b 6b 5d 3b 69 66 28 6c 21 3d 3d 6c 26 26 70 2e 6b 65 79 21 3d 3d 70 2e 6b 65 79 7c 7c 6c 3d 3d 3d 70 2e 6b 65 79 29 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 6b 2c 6e 66 3a 70 7d 7d 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 2d 31 2c 6e 66 3a 76 6f 69 64 20 30 7d 7d 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 76 61 72 20 6d 3d 6b 5b 31 5d 3b 72 65 74 75 72 6e 20 70 61 28 66
                                                                                                                                                              Data Ascii: m=b.get(l):(m=""+ ++h,b.set(l,m)):m="p_"+l;var n=k[0][m];if(n&&va(k[0],m))for(k=0;k<n.length;k++){var p=n[k];if(l!==l&&p.key!==p.key||l===p.key)return{id:m,list:n,index:k,nf:p}}return{id:m,list:n,index:-1,nf:void 0}},e=function(k,l){var m=k[1];return pa(f
                                                                                                                                                              2024-05-04 13:21:04 UTC1255INData Raw: 75 72 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e 65 78 74 28 29 3b 69 66 28 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 21 3d 63 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 63 29 72 65 74 75 72 6e 21 31 3b 66 3d 65 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 3d 3d 63 7c 7c 34 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 2e 78 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 3f 21 31 3a 65 2e 6e 65 78 74 28 29 2e 64 6f 6e 65 7d 63 61 74 63 68 28 68 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 74 68 69 73 2e 44 61 3d 6e 65 77 20 4d 61 70 3b 69 66 28 63 29 7b 63 3d
                                                                                                                                                              Data Ascii: urn!1;var e=d.entries(),f=e.next();if(f.done||f.value[0]!=c||f.value[1]!=c)return!1;f=e.next();return f.done||f.value[0]==c||4!=f.value[0].x||f.value[1]!=f.value[0]?!1:e.next().done}catch(h){return!1}}())return a;var b=function(c){this.Da=new Map;if(c){c=


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              5192.168.2.44975120.114.59.183443
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:14 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                                                              Host: slscr.update.microsoft.com
                                                                                                                                                              2024-05-04 13:21:14 UTC560INHTTP/1.1 200 OK
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Expires: -1
                                                                                                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                                                              ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                                                                                              MS-CorrelationId: 5d5b0ae0-5efd-44c2-b325-fdbc45475428
                                                                                                                                                              MS-RequestId: 02592977-878a-4b0b-b239-dba19969eebd
                                                                                                                                                              MS-CV: Mzb/eVdc90+VKMcL.0
                                                                                                                                                              X-Microsoft-SLSClientCache: 2880
                                                                                                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:13 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Content-Length: 24490
                                                                                                                                                              2024-05-04 13:21:14 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                                                                                              Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                                                                                              2024-05-04 13:21:14 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                                                                                              Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              6192.168.2.449758142.250.72.1744437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:43 UTC872OUTGET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1
                                                                                                                                                              Host: ogs.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                              sec-ch-ua-mobile: ?0
                                                                                                                                                              sec-ch-ua-platform: "Windows"
                                                                                                                                                              Upgrade-Insecure-Requests: 1
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                                                                              Sec-Fetch-Mode: navigate
                                                                                                                                                              Sec-Fetch-Dest: iframe
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INHTTP/1.1 200 OK
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              X-Frame-Options: ALLOW-FROM chrome-untrusted://new-tab-page
                                                                                                                                                              Content-Security-Policy: frame-ancestors chrome-untrusted://new-tab-page chrome://new-tab-page
                                                                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/OneGoogleWidgetUi/cspreport
                                                                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-ANFaue5R-ScgTYax3LfSMg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/OneGoogleWidgetUi/cspreport;worker-src 'self'
                                                                                                                                                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/OneGoogleWidgetUi/cspreport/allowlist
                                                                                                                                                              x-ua-compatible: IE=edge
                                                                                                                                                              Expires: Sat, 04 May 2024 13:21:43 GMT
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:43 GMT
                                                                                                                                                              Cache-Control: private, max-age=259200
                                                                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                              Cross-Origin-Resource-Policy: same-site
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                              Cross-Origin-Embedder-Policy-Report-Only: require-corp; report-to="CoepOneGoogleWidgetUi"
                                                                                                                                                              Report-To: {"group":"CoepOneGoogleWidgetUi","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/OneGoogleWidgetUi"}]}
                                                                                                                                                              reporting-endpoints: default="/_/OneGoogleWidgetUi/web-reports?context=eJzjstHikmLw0pBiUAjbyXTv-zOmgpUvmCS-vmTSAGKn9BmsQUDsUz-DNQaIW2-eY50KxEn_zrMWAbEQD8fzNzc2sgmsOHzmISMATVggKQ"
                                                                                                                                                              Server: ESF
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Set-Cookie: NID=513=mPPPqpDMrDFUKWs8QWCE0CfLRBKkKmj_o5FDyqsicCmeUBwk9I5OXwE3RMm_CMffzYSx9ZIPSTxmM-VQzSv_mLJjyXRSUzvk9haotAWoVcJ8iqK3NFmfA42wDu-YwqQ9vhflBU2dO2t8pCNEAbMtpv2HO6denIteuHo8gbtxJng; expires=Sun, 03-Nov-2024 13:21:43 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 67 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6c 69 6e 6b 20 72 65 66 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 67 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 77 69 64 67 65 74 2f 61 70 70 2f 73 6f 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70
                                                                                                                                                              Data Ascii: 8000<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><link ref="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/app/so"><link rel="p
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 6d 6c 45 6c 3d 6d 3b 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 6c 6f 61 64 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 62 3d 62 2e 74 61 72 67 65 74 3b 76 61 72 20 63 3b 22 49 4d 47 22 21 3d 62 2e 74 61 67 4e 61 6d 65 7c 7c 62 2e 68 61 73 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 69 69 64 22 29 7c 7c 61 2e 5f 69 73 4c 61 7a 79 49 6d 61 67 65 28 62 29 7c 7c 62 2e 68 61 73 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 61 66 74 22 29 7c 7c 28 63 3d 6d 28 62 29 29 3b 69 66 28 61 2e 61 66 74 5f 63 6f 75 6e 74 65 72 26 26 28 62 3d 61 2e 61 66 74 5f 63 6f 75 6e 74 65 72 2e 69 6e 64 65 78 4f 66 28 62 29 2c 2d 31 21 3d 3d 62 26 26 28 62 3d 31 3d 3d 3d 61 2e 61 66 74
                                                                                                                                                              Data Ascii: mlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;"IMG"!=b.tagName||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),-1!==b&&(b=1===a.aft
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 74 62 7b 68 65 69 67 68 74 3a 35 36 70 78 7d 2e 6b 46 77 50 65 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 68 65 69 67 68 74 3a 31 30 30 25 7d 2e 79 64 4d 4d 45 62 7b 68 65 69 67 68 74 3a 35 36 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 53 53 50 47 4b 66 7b 6f 76 65 72 66 6c 6f 77 2d 79 3a 68 69 64 64 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 62 6f 74 74 6f 6d 3a 30 3b 6c 65 66 74 3a 30 3b 72 69 67 68 74 3a 30 3b 74 6f 70 3a 30 7d 2e 65 63 4a 45 69 62 20 2e 41 4f 71 34 74 62 2c 2e 65 63 4a 45 69 62 20 2e 79 64 4d 4d 45 62 7b 68 65 69 67 68 74 3a 36 34 70 78 7d 2e 65 32 47 33 46 62 2e 45 57 5a 63 75 64 20 2e 41 4f 71 34 74 62 2c 2e 65 32 47 33 46 62 2e 45 57 5a 63 75 64 20 2e 79 64 4d 4d
                                                                                                                                                              Data Ascii: tb{height:56px}.kFwPee{position:relative;z-index:1;height:100%}.ydMMEb{height:56px;width:100%}.SSPGKf{overflow-y:hidden;position:absolute;bottom:0;left:0;right:0;top:0}.ecJEib .AOq4tb,.ecJEib .ydMMEb{height:64px}.e2G3Fb.EWZcud .AOq4tb,.e2G3Fb.EWZcud .ydMM
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 2e 6e 7a 39 73 71 62 2e 6f 30 37 47 35 20 2e 74 58 39 75 31 62 3a 61 63 74 69 76 65 3a 68 6f 76 65 72 20 2e 52 71 35 47 63 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 64 32 65 33 30 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 6f 70 61 63 69 74 79 3a 2e 38 7d 2e 74 58 39 75 31 62 5b 64 72 61 67 67 61 62 6c 65 3d 66 61 6c 73 65 5d 7b 2d 77 65 62 6b 69 74 2d 74 6f 75 63 68 2d 63 61 6c 6c 6f 75 74 3a 6e 6f 6e 65 3b 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 4d 72 45 66 4c 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 35 33 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 77 69 64 74 68 3a 35 33 70 78 7d 2e 43 67 77 54 44 62 7b 68 65 69
                                                                                                                                                              Data Ascii: .nz9sqb.o07G5 .tX9u1b:active:hover .Rq5Gcb{background-color:#2d2e30;border-color:transparent;opacity:.8}.tX9u1b[draggable=false]{-webkit-touch-callout:none;user-select:none}.MrEfLc{display:inline-block;height:53px;vertical-align:top;width:53px}.CgwTDb{hei
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 72 6f 6c 6c 62 61 72 2d 74 68 75 6d 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 28 39 35 2c 39 39 2c 31 30 34 29 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 2c 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 6a 46 56 30 6e 7b 68 65 69 67 68 74 3a 34 30 70 78 3b 6d 61 72 67 69 6e 3a 38 70 78 3b 77 69 64 74 68 3a 34 30 70 78 7d 2e 6e 7a 39 73 71 62 20 2e 6a 46 56 30 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 4f 75 6e 5a 39 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 3a 31 70 78 20
                                                                                                                                                              Data Ascii: rollbar-thumb{background-color:rgb(95,99,104)}.EHzcec::-webkit-scrollbar-track,.EHzcec::-webkit-scrollbar-track:hover{background:none;border:none}.jFV0n{height:40px;margin:8px;width:40px}.nz9sqb .jFV0n{position:relative}.OunZ9c{background:#fff;border:1px
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 31 30 70 78 7d 2e 75 34 52 63 55 64 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 2e 6e 7a 39 73 71 62 2e 45 48 7a 63 65 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 38 32 61 32 63 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 68 69 67 68 2c 23 32 38 32 61 32 63 29 7d 2e 6e 7a 39 73 71 62 2e 45 48 7a 63 65 63 20 2e 4c 56 61 6c 37 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 62 31 62 31 62 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6c 6f 77 2c 23 31 62 31 62 31 62 29 3b 63 6f 6c 6f 72 3a 23 63 34 63 37 63 35 3b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67
                                                                                                                                                              Data Ascii: 10px}.u4RcUd{padding-top:0}.nz9sqb.EHzcec{background:#282a2c;background:var(--gm3-sys-color-surface-container-high,#282a2c)}.nz9sqb.EHzcec .LVal7b{background:#1b1b1b;background:var(--gm3-sys-color-surface-container-low,#1b1b1b);color:#c4c7c5;color:var(--g
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 25 3b 6f 70 61 63 69 74 79 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 62 35 37 64 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 70 72 69 6d 61 72 79 2c 23 30 62 35 37 64 30 29 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 2e 35 73 20 65 61 73 65 2d 6f 75 74 7d 2e 4e 51 56 33 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 34 37 37 37 35 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 6f 75 74 6c 69 6e 65 2c 23 37 34 37 37 37 35 29 7d 2e 4e 51 56 33 6d 3a 68 6f 76 65 72 3a 62 65 66 6f 72 65 7b 6f 70 61 63
                                                                                                                                                              Data Ascii: %;opacity:0;border-radius:100px;background:#0b57d0;background:var(--gm3-sys-color-primary,#0b57d0);transition:opacity .5s ease-out}.NQV3m:hover{background:none;border-color:#747775;border-color:var(--gm3-sys-color-outline,#747775)}.NQV3m:hover:before{opac
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 63 6f 6c 6f 72 2d 70 72 69 6d 61 72 79 2c 23 61 38 63 37 66 61 29 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 7b 77 69 64 74 68 3a 38 70 78 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 68 75 6d 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6c 69 70 3a 70 61 64 64 69 6e 67 2d 62 6f 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 33 31 2c 33 31 2c 33 31 2c 2e 31 36 29 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 31 38 35 70 78 3b 6d 61 78 2d 68 65 69 67 68 74 3a 33 33 25 7d 2e 45 48 7a 63 65 63
                                                                                                                                                              Data Ascii: color-primary,#a8c7fa)}.EHzcec::-webkit-scrollbar{width:8px}.EHzcec::-webkit-scrollbar-thumb{background-clip:padding-box;background-color:rgba(31,31,31,.16);border-radius:8px;border:1px solid transparent;box-shadow:none;height:185px;max-height:33%}.EHzcec
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 62 6f 72 64 65 72 3a 2e 35 70 78 20 73 6f 6c 69 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 66 38 66 61 66 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6c 6f 77 2c 23 66 38 66 61 66 64 29 7d 2e 51 67 64 64 55 63 20 2e 6b 69 62 50 36 62 3a 66 6f 63 75 73 2c 2e 51 67 64 64 55 63 20 2e 6c 48 74 53 62 64 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 64 65 33 65 61 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74
                                                                                                                                                              Data Ascii: px;position:absolute;top:1px;border:.5px solid;border-color:#f8fafd;border-color:var(--gm3-sys-color-surface-container-low,#f8fafd)}.QgddUc .kibP6b:focus,.QgddUc .lHtSbd:focus{border:1px solid;background:#dde3ea;background:var(--gm3-sys-color-surface-cont
                                                                                                                                                              2024-05-04 13:21:43 UTC2497INData Raw: 55 2b 30 33 30 30 2d 30 33 30 31 2c 55 2b 30 33 30 33 2d 30 33 30 34 2c 55 2b 30 33 30 38 2d 30 33 30 39 2c 55 2b 30 33 32 33 2c 55 2b 30 33 32 39 2c 55 2b 31 45 41 30 2d 31 45 46 39 2c 55 2b 32 30 41 42 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 52 6f 62 6f 74 6f 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 73 72 63 3a 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 47 78 4b 4f 7a 59 2e 77 6f 66 66 32 29 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 55 2b 30 31 30 30 2d 30 32 41 46 2c 55 2b 30 33 30 34
                                                                                                                                                              Data Ascii: U+0300-0301,U+0303-0304,U+0308-0309,U+0323,U+0329,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu7GxKOzY.woff2)format('woff2');unicode-range:U+0100-02AF,U+0304


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              7192.168.2.44977040.68.123.157443
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:21:52 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                                                              Host: slscr.update.microsoft.com
                                                                                                                                                              2024-05-04 13:21:53 UTC560INHTTP/1.1 200 OK
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Expires: -1
                                                                                                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                                                              ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                                                                                                                              MS-CorrelationId: 423c526f-025f-4836-af73-b50d84986dfc
                                                                                                                                                              MS-RequestId: 13c884fd-6385-4575-81bd-6a1a0cc8c823
                                                                                                                                                              MS-CV: fEo8KPAIWEOXggT3.0
                                                                                                                                                              X-Microsoft-SLSClientCache: 2160
                                                                                                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Date: Sat, 04 May 2024 13:21:51 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Content-Length: 25457
                                                                                                                                                              2024-05-04 13:21:53 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                                                                                                              Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                                                                                                              2024-05-04 13:21:53 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                                                                                                              Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              8192.168.2.449774142.250.189.144437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:22:18 UTC539OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                                                                                                                              Host: play.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Accept: */*
                                                                                                                                                              Access-Control-Request-Method: POST
                                                                                                                                                              Access-Control-Request-Headers: x-goog-authuser
                                                                                                                                                              Origin: https://ogs.google.com
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Sec-Fetch-Mode: cors
                                                                                                                                                              Sec-Fetch-Site: same-site
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              Referer: https://ogs.google.com/
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              2024-05-04 13:22:18 UTC515INHTTP/1.1 200 OK
                                                                                                                                                              Access-Control-Allow-Origin: https://ogs.google.com
                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                              Access-Control-Max-Age: 86400
                                                                                                                                                              Access-Control-Allow-Credentials: true
                                                                                                                                                              Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                                                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                                                                                              Date: Sat, 04 May 2024 13:22:18 GMT
                                                                                                                                                              Server: Playlog
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              9192.168.2.449775142.250.189.144437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:22:18 UTC947OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                                                                                                                              Host: play.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Content-Length: 787
                                                                                                                                                              sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                              Content-Type: text/plain;charset=UTF-8
                                                                                                                                                              X-Goog-AuthUser: 0
                                                                                                                                                              sec-ch-ua-mobile: ?0
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              sec-ch-ua-platform: "Windows"
                                                                                                                                                              Accept: */*
                                                                                                                                                              Origin: https://ogs.google.com
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: same-site
                                                                                                                                                              Sec-Fetch-Mode: cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              Referer: https://ogs.google.com/
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              Cookie: NID=513=mPPPqpDMrDFUKWs8QWCE0CfLRBKkKmj_o5FDyqsicCmeUBwk9I5OXwE3RMm_CMffzYSx9ZIPSTxmM-VQzSv_mLJjyXRSUzvk9haotAWoVcJ8iqK3NFmfA42wDu-YwqQ9vhflBU2dO2t8pCNEAbMtpv2HO6denIteuHo8gbtxJng
                                                                                                                                                              2024-05-04 13:22:18 UTC787OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 6f 6e 65 67 6f 6f 67 6c 65 68 74 74 70 73 65 72 76 65 72 5f 32 30 32 34 30 34 33 30 2e 30 31 5f 70 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31
                                                                                                                                                              Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_onegooglehttpserver_20240430.01_p1",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],1
                                                                                                                                                              2024-05-04 13:22:19 UTC920INHTTP/1.1 200 OK
                                                                                                                                                              Access-Control-Allow-Origin: https://ogs.google.com
                                                                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                              Access-Control-Allow-Credentials: true
                                                                                                                                                              Access-Control-Allow-Headers: X-Playlog-Web
                                                                                                                                                              Set-Cookie: NID=513=ON-263QZXt9Weooq4tM-X7f_gPZYX_UROX833_yqu-2GKj7wBRvMMF_Z8Hh_g785FV-f1eGZZ3bmuxVot588IRQ_TPzkUmoPYhH9VZfNdSFfe5oLbWL0o3mTVMkjR2y5hkTF1a_qbB89fDZKW_cIDuWlJVWJsC3zjL1NGiEc0tU; expires=Sun, 03-Nov-2024 13:22:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                                                                                              Date: Sat, 04 May 2024 13:22:19 GMT
                                                                                                                                                              Server: Playlog
                                                                                                                                                              Cache-Control: private
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Expires: Sat, 04 May 2024 13:22:19 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2024-05-04 13:22:19 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                                                                                                                              Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                                                                                                                              2024-05-04 13:22:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              10192.168.2.449776142.250.176.144437208C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-05-04 13:22:19 UTC664OUTGET /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                                                                                                                              Host: play.google.com
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                              Accept: */*
                                                                                                                                                              X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX
                                                                                                                                                              Sec-Fetch-Site: none
                                                                                                                                                              Sec-Fetch-Mode: cors
                                                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                                                              Cookie: NID=513=ON-263QZXt9Weooq4tM-X7f_gPZYX_UROX833_yqu-2GKj7wBRvMMF_Z8Hh_g785FV-f1eGZZ3bmuxVot588IRQ_TPzkUmoPYhH9VZfNdSFfe5oLbWL0o3mTVMkjR2y5hkTF1a_qbB89fDZKW_cIDuWlJVWJsC3zjL1NGiEc0tU
                                                                                                                                                              2024-05-04 13:22:19 UTC270INHTTP/1.1 400 Bad Request
                                                                                                                                                              Date: Sat, 04 May 2024 13:22:19 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Server: Playlog
                                                                                                                                                              Content-Length: 1555
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Connection: close
                                                                                                                                                              2024-05-04 13:22:19 UTC985INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 30 20 28 42 61 64 20 52 65 71 75 65 73 74 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d
                                                                                                                                                              Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 400 (Bad Request)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-
                                                                                                                                                              2024-05-04 13:22:19 UTC570INData Raw: 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70
                                                                                                                                                              Data Ascii: -image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-rep


                                                                                                                                                              Click to jump to process

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:15:20:52
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Users\user\Desktop\OgcktrbHkI.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\OgcktrbHkI.exe"
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:334'336 bytes
                                                                                                                                                              MD5 hash:35F519000AD078D242C0BCE097C59B31
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:15:20:53
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\
                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:2
                                                                                                                                                              Start time:15:20:53
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:3
                                                                                                                                                              Start time:15:20:54
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\
                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:4
                                                                                                                                                              Start time:15:20:54
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:5
                                                                                                                                                              Start time:15:20:55
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                                                              Imagebase:0x760000
                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:6
                                                                                                                                                              Start time:15:20:55
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:7
                                                                                                                                                              Start time:15:20:56
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection"
                                                                                                                                                              Imagebase:0x760000
                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:8
                                                                                                                                                              Start time:15:20:56
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:9
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" start kofydeki
                                                                                                                                                              Imagebase:0x760000
                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:10
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:11
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe"
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:14'476'288 bytes
                                                                                                                                                              MD5 hash:B50406135DB8929E333AE2BDD1EE42FF
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:12
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                                                                                                                              Imagebase:0x7ff76e190000
                                                                                                                                                              File size:3'242'272 bytes
                                                                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              Target ID:13
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:svchost.exe
                                                                                                                                                              Imagebase:0xef0000
                                                                                                                                                              File size:46'504 bytes
                                                                                                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:false

                                                                                                                                                              Target ID:14
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                              Imagebase:0x1560000
                                                                                                                                                              File size:82'432 bytes
                                                                                                                                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:15
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:16
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:17
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:18
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672
                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:19
                                                                                                                                                              Start time:15:20:57
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              Target ID:20
                                                                                                                                                              Start time:15:20:58
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                              Imagebase:0x7ff76e190000
                                                                                                                                                              File size:3'242'272 bytes
                                                                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              Target ID:21
                                                                                                                                                              Start time:15:20:58
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544
                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:22
                                                                                                                                                              Start time:15:20:58
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648
                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              Target ID:26
                                                                                                                                                              Start time:15:21:41
                                                                                                                                                              Start date:04/05/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              Reset < >

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:3.6%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:2.1%
                                                                                                                                                                Signature Coverage:25.6%
                                                                                                                                                                Total number of Nodes:1550
                                                                                                                                                                Total number of Limit Nodes:18
                                                                                                                                                                execution_graph 14811 1c1fccb 14812 1c1fcda 14811->14812 14815 1c2046b 14812->14815 14820 1c20486 14815->14820 14816 1c2048f CreateToolhelp32Snapshot 14817 1c204ab Module32First 14816->14817 14816->14820 14818 1c204ba 14817->14818 14821 1c1fce3 14817->14821 14822 1c2012a 14818->14822 14820->14816 14820->14817 14823 1c20155 14822->14823 14824 1c2019e 14823->14824 14825 1c20166 VirtualAlloc 14823->14825 14824->14824 14825->14824 14826 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14945 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14826->14945 14828 409a95 14829 409aa3 GetModuleHandleA GetModuleFileNameA 14828->14829 14834 40a3c7 14828->14834 14842 409ac4 14829->14842 14830 40a41c CreateThread WSAStartup 15114 40e52e 14830->15114 15992 40405e CreateEventA 14830->15992 14831 409afd GetCommandLineA 14843 409b22 14831->14843 14832 40a406 DeleteFileA 14832->14834 14835 40a40d 14832->14835 14834->14830 14834->14832 14834->14835 14838 40a3ed GetLastError 14834->14838 14835->14830 14836 40a445 15133 40eaaf 14836->15133 14838->14835 14840 40a3f8 Sleep 14838->14840 14839 40a44d 15137 401d96 14839->15137 14840->14832 14842->14831 14846 409c0c 14843->14846 14853 409b47 14843->14853 14844 40a457 15185 4080c9 14844->15185 14946 4096aa 14846->14946 14856 409b58 14853->14856 14858 409b96 lstrlenA 14853->14858 14854 40a1d2 14861 40a1e3 GetCommandLineA 14854->14861 14855 409c39 14859 40a167 GetModuleHandleA GetModuleFileNameA 14855->14859 14952 404280 CreateEventA 14855->14952 14860 409c05 ExitProcess 14856->14860 14867 40675c 21 API calls 14856->14867 14858->14856 14859->14860 14865 40a189 14859->14865 14885 40a205 14861->14885 14865->14860 14869 40a1b2 GetDriveTypeA 14865->14869 14870 409be3 14867->14870 14869->14860 14872 40a1c5 14869->14872 14870->14860 15051 406a60 CreateFileA 14870->15051 15095 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14872->15095 14878 40a491 14879 40a49f GetTickCount 14878->14879 14881 40a4be Sleep 14878->14881 14887 40a4b7 GetTickCount 14878->14887 15231 40c913 14878->15231 14879->14878 14879->14881 14881->14878 14883 409ca0 GetTempPathA 14884 409e3e 14883->14884 14886 409cba 14883->14886 14890 409e6b GetEnvironmentVariableA 14884->14890 14894 409e04 14884->14894 14891 40a285 lstrlenA 14885->14891 14903 40a239 14885->14903 15007 4099d2 lstrcpyA 14886->15007 14887->14881 14890->14894 14895 409e7d 14890->14895 14891->14903 15090 40ec2e 14894->15090 14896 4099d2 16 API calls 14895->14896 14897 409e9d 14896->14897 14897->14894 14902 409eb0 lstrcpyA lstrlenA 14897->14902 14900 409d5f 15070 406cc9 14900->15070 14901 40a3c2 15107 4098f2 14901->15107 14905 409ef4 14902->14905 15103 406ec3 14903->15103 14908 406dc2 6 API calls 14905->14908 14912 409f03 14905->14912 14907 40a35f 14907->14901 14907->14907 14915 40a37b 14907->14915 14908->14912 14909 40a39d StartServiceCtrlDispatcherA 14909->14901 14911 409cf6 15014 409326 14911->15014 14913 409f32 RegOpenKeyExA 14912->14913 14916 409f0e 14912->14916 14914 409f48 RegSetValueExA RegCloseKey 14913->14914 14919 409f70 14913->14919 14914->14919 14915->14909 14916->14912 14925 409f9d GetModuleHandleA GetModuleFileNameA 14919->14925 14920 409e0c DeleteFileA 14920->14884 14921 409dde GetFileAttributesExA 14921->14920 14922 409df7 14921->14922 14922->14894 14924 409dff 14922->14924 15080 4096ff 14924->15080 14927 409fc2 14925->14927 14928 40a093 14925->14928 14927->14928 14934 409ff1 GetDriveTypeA 14927->14934 14929 40a103 CreateProcessA 14928->14929 14932 40a0a4 wsprintfA 14928->14932 14930 40a13a 14929->14930 14931 40a12a DeleteFileA 14929->14931 14930->14894 14937 4096ff 3 API calls 14930->14937 14931->14930 15086 402544 14932->15086 14934->14928 14936 40a00d 14934->14936 14939 40a02d lstrcatA 14936->14939 14937->14894 14941 40a046 14939->14941 14942 40a052 lstrcatA 14941->14942 14943 40a064 lstrcatA 14941->14943 14942->14943 14943->14928 14944 40a081 lstrcatA 14943->14944 14944->14928 14945->14828 14947 4096b9 14946->14947 15334 4073ff 14947->15334 14949 4096e2 14951 4096f7 14949->14951 15354 40704c 14949->15354 14951->14854 14951->14855 14953 4042a5 14952->14953 14959 40429d 14952->14959 15379 403ecd 14953->15379 14955 4042b0 15383 404000 14955->15383 14958 4043c1 CloseHandle 14958->14959 14959->14859 14979 40675c 14959->14979 14960 4042ce 15389 403f18 WriteFile 14960->15389 14965 4043ba CloseHandle 14965->14958 14966 404318 14967 403f18 4 API calls 14966->14967 14968 404331 14967->14968 14969 403f18 4 API calls 14968->14969 14970 40434a 14969->14970 15397 40ebcc GetProcessHeap RtlAllocateHeap 14970->15397 14973 403f18 4 API calls 14974 404389 14973->14974 14975 40ec2e codecvt 4 API calls 14974->14975 14976 40438f 14975->14976 14977 403f8c 4 API calls 14976->14977 14978 40439f CloseHandle CloseHandle 14977->14978 14978->14959 14980 406784 CreateFileA 14979->14980 14981 40677a SetFileAttributesA 14979->14981 14982 4067a4 CreateFileA 14980->14982 14983 4067b5 14980->14983 14981->14980 14982->14983 14984 4067c5 14983->14984 14985 4067ba SetFileAttributesA 14983->14985 14986 406977 14984->14986 14987 4067cf GetFileSize 14984->14987 14985->14984 14986->14859 14986->14883 14986->14884 14988 4067e5 14987->14988 14989 406965 14987->14989 14988->14989 14991 4067ed ReadFile 14988->14991 14990 40696e FindCloseChangeNotification 14989->14990 14990->14986 14991->14989 14992 406811 SetFilePointer 14991->14992 14992->14989 14993 40682a ReadFile 14992->14993 14993->14989 14994 406848 SetFilePointer 14993->14994 14994->14989 14995 406867 14994->14995 14996 4068d5 14995->14996 14997 406878 ReadFile 14995->14997 14996->14990 14999 40ebcc 4 API calls 14996->14999 14998 4068d0 14997->14998 15000 406891 14997->15000 14998->14996 15001 4068f8 14999->15001 15000->14997 15000->14998 15001->14989 15002 406900 SetFilePointer 15001->15002 15003 40695a 15002->15003 15004 40690d ReadFile 15002->15004 15006 40ec2e codecvt 4 API calls 15003->15006 15004->15003 15005 406922 15004->15005 15005->14990 15006->14989 15008 4099eb 15007->15008 15009 409a2f lstrcatA 15008->15009 15010 40ee2a 15009->15010 15011 409a4b lstrcatA 15010->15011 15012 406a60 13 API calls 15011->15012 15013 409a60 15012->15013 15013->14884 15013->14911 15064 406dc2 15013->15064 15403 401910 15014->15403 15017 40934a GetModuleHandleA GetModuleFileNameA 15019 40937f 15017->15019 15020 4093d9 15019->15020 15021 4093a4 15019->15021 15022 409401 wsprintfA 15020->15022 15023 4093c3 wsprintfA 15021->15023 15025 409415 15022->15025 15023->15025 15024 4094a0 15405 406edd 15024->15405 15025->15024 15028 406cc9 5 API calls 15025->15028 15027 4094ac 15029 40962f 15027->15029 15030 4094e8 RegOpenKeyExA 15027->15030 15034 409439 15028->15034 15035 409646 15029->15035 15433 401820 15029->15433 15032 409502 15030->15032 15033 4094fb 15030->15033 15038 40951f RegQueryValueExA 15032->15038 15033->15029 15037 40958a 15033->15037 15418 40ef1e lstrlenA 15034->15418 15044 4095d6 15035->15044 15413 4091eb 15035->15413 15037->15035 15040 409593 15037->15040 15041 409530 15038->15041 15042 409539 15038->15042 15040->15044 15420 40f0e4 15040->15420 15045 40956e RegCloseKey 15041->15045 15046 409556 RegQueryValueExA 15042->15046 15043 409462 15047 40947e wsprintfA 15043->15047 15044->14920 15044->14921 15045->15033 15046->15041 15046->15045 15047->15024 15049 4095bb 15049->15044 15427 4018e0 15049->15427 15052 406b8c GetLastError 15051->15052 15053 406a8f GetDiskFreeSpaceA 15051->15053 15062 406b86 15052->15062 15054 406ac5 15053->15054 15063 406ad7 15053->15063 15481 40eb0e 15054->15481 15058 406b56 FindCloseChangeNotification 15061 406b65 GetLastError CloseHandle 15058->15061 15058->15062 15059 406b36 GetLastError CloseHandle 15060 406b7f DeleteFileA 15059->15060 15060->15062 15061->15060 15062->14860 15475 406987 15063->15475 15065 406e24 15064->15065 15066 406dd7 15064->15066 15065->14900 15067 406cc9 5 API calls 15066->15067 15068 406ddc 15067->15068 15068->15065 15068->15068 15069 406e02 GetVolumeInformationA 15068->15069 15069->15065 15071 406cdc GetModuleHandleA GetProcAddress 15070->15071 15072 406dbe lstrcpyA lstrcatA lstrcatA 15070->15072 15073 406d12 GetSystemDirectoryA 15071->15073 15076 406cfd 15071->15076 15072->14911 15074 406d27 GetWindowsDirectoryA 15073->15074 15075 406d1e 15073->15075 15077 406d42 15074->15077 15075->15074 15079 406d8b 15075->15079 15076->15073 15076->15079 15078 40ef1e lstrlenA 15077->15078 15078->15079 15079->15072 15081 402544 15080->15081 15082 40972d RegOpenKeyExA 15081->15082 15083 409740 15082->15083 15084 409765 15082->15084 15085 40974f RegDeleteValueA RegCloseKey 15083->15085 15084->14894 15085->15084 15087 402554 lstrcatA 15086->15087 15088 40ee2a 15087->15088 15089 40a0ec lstrcatA 15088->15089 15089->14929 15091 40ec37 15090->15091 15092 40a15d 15090->15092 15489 40eba0 15091->15489 15092->14859 15092->14860 15096 402544 15095->15096 15097 40919e wsprintfA 15096->15097 15098 4091bb 15097->15098 15492 409064 GetTempPathA 15098->15492 15101 4091d5 ShellExecuteA 15102 4091e7 15101->15102 15102->14860 15104 406ed5 15103->15104 15105 406ecc 15103->15105 15104->14907 15106 406e36 2 API calls 15105->15106 15106->15104 15109 4098f6 15107->15109 15108 404280 30 API calls 15108->15109 15109->15108 15110 409904 Sleep 15109->15110 15111 409915 15109->15111 15110->15109 15110->15111 15113 409947 15111->15113 15499 40977c 15111->15499 15113->14834 15521 40dd05 GetTickCount 15114->15521 15116 40e538 15528 40dbcf 15116->15528 15118 40e544 15119 40e555 GetFileSize 15118->15119 15123 40e5b8 15118->15123 15120 40e5b1 CloseHandle 15119->15120 15121 40e566 15119->15121 15120->15123 15538 40db2e 15121->15538 15547 40e3ca RegOpenKeyExA 15123->15547 15125 40e576 ReadFile 15125->15120 15127 40e58d 15125->15127 15542 40e332 15127->15542 15130 40e629 15130->14836 15131 40e5f2 15131->15130 15132 40e3ca 19 API calls 15131->15132 15132->15130 15134 40eabe 15133->15134 15136 40eaba 15133->15136 15135 40dd05 6 API calls 15134->15135 15134->15136 15135->15136 15136->14839 15138 40ee2a 15137->15138 15139 401db4 GetVersionExA 15138->15139 15140 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15139->15140 15142 401e24 15140->15142 15143 401e16 GetCurrentProcess 15140->15143 15600 40e819 15142->15600 15143->15142 15145 401e3d 15146 40e819 11 API calls 15145->15146 15147 401e4e 15146->15147 15148 401e77 15147->15148 15607 40df70 15147->15607 15616 40ea84 15148->15616 15151 401e6c 15153 40df70 12 API calls 15151->15153 15153->15148 15154 40e819 11 API calls 15155 401e93 15154->15155 15620 40199c inet_addr LoadLibraryA 15155->15620 15158 40e819 11 API calls 15159 401eb9 15158->15159 15160 401ed8 15159->15160 15161 40f04e 4 API calls 15159->15161 15162 40e819 11 API calls 15160->15162 15163 401ec9 15161->15163 15164 401eee 15162->15164 15165 40ea84 30 API calls 15163->15165 15166 401f0a 15164->15166 15633 401b71 15164->15633 15165->15160 15167 40e819 11 API calls 15166->15167 15169 401f23 15167->15169 15171 401f3f 15169->15171 15637 401bdf 15169->15637 15170 401efd 15172 40ea84 30 API calls 15170->15172 15174 40e819 11 API calls 15171->15174 15172->15166 15176 401f5e 15174->15176 15178 401f77 15176->15178 15179 40ea84 30 API calls 15176->15179 15177 40ea84 30 API calls 15177->15171 15644 4030b5 15178->15644 15179->15178 15182 406ec3 2 API calls 15184 401f8e GetTickCount 15182->15184 15184->14844 15186 406ec3 2 API calls 15185->15186 15187 4080eb 15186->15187 15188 4080f9 15187->15188 15189 4080ef 15187->15189 15191 40704c 16 API calls 15188->15191 15692 407ee6 15189->15692 15192 408110 15191->15192 15193 4080f4 15192->15193 15195 408156 RegOpenKeyExA 15192->15195 15194 40675c 21 API calls 15193->15194 15203 408269 CreateThread 15193->15203 15199 408244 15194->15199 15195->15193 15196 40816d RegQueryValueExA 15195->15196 15197 4081f7 15196->15197 15198 40818d 15196->15198 15200 40820d RegCloseKey 15197->15200 15202 40ec2e codecvt 4 API calls 15197->15202 15198->15197 15204 40ebcc 4 API calls 15198->15204 15201 40ec2e codecvt 4 API calls 15199->15201 15199->15203 15200->15193 15201->15203 15209 4081dd 15202->15209 15210 405e6c 15203->15210 16021 40877e 15203->16021 15205 4081a0 15204->15205 15205->15200 15206 4081aa RegQueryValueExA 15205->15206 15206->15197 15207 4081c4 15206->15207 15208 40ebcc 4 API calls 15207->15208 15208->15209 15209->15200 15760 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15210->15760 15212 405e71 15761 40e654 15212->15761 15214 405ec1 15215 403132 15214->15215 15216 40df70 12 API calls 15215->15216 15217 40313b 15216->15217 15218 40c125 15217->15218 15772 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15218->15772 15220 40c12d 15221 40e654 13 API calls 15220->15221 15222 40c2bd 15221->15222 15223 40e654 13 API calls 15222->15223 15224 40c2c9 15223->15224 15225 40e654 13 API calls 15224->15225 15226 40a47a 15225->15226 15227 408db1 15226->15227 15228 408dbc 15227->15228 15229 40e654 13 API calls 15228->15229 15230 408dec Sleep 15229->15230 15230->14878 15232 40c92f 15231->15232 15233 40c93c 15232->15233 15773 40c517 15232->15773 15235 40ca2b 15233->15235 15236 40e819 11 API calls 15233->15236 15235->14878 15237 40c96a 15236->15237 15238 40e819 11 API calls 15237->15238 15239 40c97d 15238->15239 15240 40e819 11 API calls 15239->15240 15241 40c990 15240->15241 15242 40c9aa 15241->15242 15243 40ebcc 4 API calls 15241->15243 15242->15235 15790 402684 15242->15790 15243->15242 15248 40ca26 15797 40c8aa 15248->15797 15251 40ca44 15252 40ca4b closesocket 15251->15252 15253 40ca83 15251->15253 15252->15248 15254 40ea84 30 API calls 15253->15254 15255 40caac 15254->15255 15256 40f04e 4 API calls 15255->15256 15257 40cab2 15256->15257 15258 40ea84 30 API calls 15257->15258 15259 40caca 15258->15259 15260 40ea84 30 API calls 15259->15260 15261 40cad9 15260->15261 15805 40c65c 15261->15805 15264 40cb60 closesocket 15264->15235 15266 40dad2 closesocket 15267 40e318 23 API calls 15266->15267 15267->15235 15268 40df4c 20 API calls 15328 40cb70 15268->15328 15273 40e654 13 API calls 15273->15328 15279 40ea84 30 API calls 15279->15328 15280 40d569 closesocket Sleep 15852 40e318 15280->15852 15281 40d815 wsprintfA 15281->15328 15282 40cc1c GetTempPathA 15282->15328 15283 407ead 6 API calls 15283->15328 15284 40c517 23 API calls 15284->15328 15286 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15286->15328 15287 40e8a1 30 API calls 15287->15328 15288 40d582 ExitProcess 15289 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15289->15328 15290 40cfe3 GetSystemDirectoryA 15290->15328 15291 40cfad GetEnvironmentVariableA 15291->15328 15292 40675c 21 API calls 15292->15328 15293 40d027 GetSystemDirectoryA 15293->15328 15294 40d105 lstrcatA 15294->15328 15295 40ef1e lstrlenA 15295->15328 15296 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15296->15328 15297 40cc9f CreateFileA 15298 40ccc6 WriteFile 15297->15298 15297->15328 15301 40cdcc CloseHandle 15298->15301 15302 40cced CloseHandle 15298->15302 15299 40d15b CreateFileA 15300 40d182 WriteFile CloseHandle 15299->15300 15299->15328 15300->15328 15301->15328 15308 40cd2f 15302->15308 15303 40d149 SetFileAttributesA 15303->15299 15304 40cd16 wsprintfA 15304->15308 15305 40d36e GetEnvironmentVariableA 15305->15328 15306 40d1bf SetFileAttributesA 15306->15328 15307 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15307->15328 15308->15304 15834 407fcf 15308->15834 15309 40d22d GetEnvironmentVariableA 15309->15328 15310 40d3af lstrcatA 15313 40d3f2 CreateFileA 15310->15313 15310->15328 15312 407fcf 64 API calls 15312->15328 15315 40d415 WriteFile CloseHandle 15313->15315 15313->15328 15315->15328 15316 40cd81 WaitForSingleObject CloseHandle CloseHandle 15318 40f04e 4 API calls 15316->15318 15317 40cda5 15319 407ee6 64 API calls 15317->15319 15318->15317 15320 40cdbd DeleteFileA 15319->15320 15320->15328 15321 40d4b1 CreateProcessA 15324 40d4e8 CloseHandle CloseHandle 15321->15324 15321->15328 15322 40d3e0 SetFileAttributesA 15322->15313 15323 40d26e lstrcatA 15325 40d2b1 CreateFileA 15323->15325 15323->15328 15324->15328 15325->15328 15329 40d2d8 WriteFile CloseHandle 15325->15329 15326 407ee6 64 API calls 15326->15328 15327 40d452 SetFileAttributesA 15327->15328 15328->15266 15328->15268 15328->15273 15328->15279 15328->15280 15328->15281 15328->15282 15328->15283 15328->15284 15328->15286 15328->15287 15328->15289 15328->15290 15328->15291 15328->15292 15328->15293 15328->15294 15328->15295 15328->15296 15328->15297 15328->15299 15328->15303 15328->15305 15328->15306 15328->15307 15328->15309 15328->15310 15328->15312 15328->15313 15328->15321 15328->15322 15328->15323 15328->15325 15328->15326 15328->15327 15331 40d29f SetFileAttributesA 15328->15331 15333 40d31d SetFileAttributesA 15328->15333 15813 40c75d 15328->15813 15825 407e2f 15328->15825 15847 407ead 15328->15847 15857 4031d0 15328->15857 15874 403c09 15328->15874 15884 403a00 15328->15884 15888 40e7b4 15328->15888 15891 40c06c 15328->15891 15897 406f5f GetUserNameA 15328->15897 15908 40e854 15328->15908 15918 407dd6 15328->15918 15329->15328 15331->15325 15333->15328 15335 40741b 15334->15335 15336 406dc2 6 API calls 15335->15336 15337 40743f 15336->15337 15338 407469 RegOpenKeyExA 15337->15338 15340 4077f9 15338->15340 15350 407487 ___ascii_stricmp 15338->15350 15339 407703 RegEnumKeyA 15341 407714 RegCloseKey 15339->15341 15339->15350 15340->14949 15341->15340 15342 40f1a5 lstrlenA 15342->15350 15343 4074d2 RegOpenKeyExA 15343->15350 15344 40772c 15346 407742 RegCloseKey 15344->15346 15347 40774b 15344->15347 15345 407521 RegQueryValueExA 15345->15350 15346->15347 15349 4077ec RegCloseKey 15347->15349 15348 4076e4 RegCloseKey 15348->15350 15349->15340 15350->15339 15350->15342 15350->15343 15350->15344 15350->15345 15350->15348 15352 40777e GetFileAttributesExA 15350->15352 15353 407769 15350->15353 15351 4077e3 RegCloseKey 15351->15349 15352->15353 15353->15351 15355 407073 15354->15355 15356 4070b9 RegOpenKeyExA 15355->15356 15357 4070d0 15356->15357 15371 4071b8 15356->15371 15358 406dc2 6 API calls 15357->15358 15361 4070d5 15358->15361 15359 40719b RegEnumValueA 15360 4071af RegCloseKey 15359->15360 15359->15361 15360->15371 15361->15359 15363 4071d0 15361->15363 15377 40f1a5 lstrlenA 15361->15377 15364 407205 RegCloseKey 15363->15364 15365 407227 15363->15365 15364->15371 15366 4072b8 ___ascii_stricmp 15365->15366 15367 40728e RegCloseKey 15365->15367 15368 4072cd RegCloseKey 15366->15368 15369 4072dd 15366->15369 15367->15371 15368->15371 15370 407311 RegCloseKey 15369->15370 15373 407335 15369->15373 15370->15371 15371->14951 15372 4073d5 RegCloseKey 15374 4073e4 15372->15374 15373->15372 15375 40737e GetFileAttributesExA 15373->15375 15376 407397 15373->15376 15375->15376 15376->15372 15378 40f1c3 15377->15378 15378->15361 15380 403ee2 15379->15380 15381 403edc 15379->15381 15380->14955 15382 406dc2 6 API calls 15381->15382 15382->15380 15384 40400b CreateFileA 15383->15384 15385 40402c GetLastError 15384->15385 15386 404052 15384->15386 15385->15386 15387 404037 15385->15387 15386->14958 15386->14959 15386->14960 15387->15386 15388 404041 Sleep 15387->15388 15388->15384 15388->15386 15390 403f7c 15389->15390 15391 403f4e GetLastError 15389->15391 15393 403f8c ReadFile 15390->15393 15391->15390 15392 403f5b WaitForSingleObject GetOverlappedResult 15391->15392 15392->15390 15394 403ff0 15393->15394 15395 403fc2 GetLastError 15393->15395 15394->14965 15394->14966 15395->15394 15396 403fcf WaitForSingleObject GetOverlappedResult 15395->15396 15396->15394 15400 40eb74 15397->15400 15401 40eb7b GetProcessHeap HeapSize 15400->15401 15402 404350 15400->15402 15401->15402 15402->14973 15404 401924 GetVersionExA 15403->15404 15404->15017 15406 406eef AllocateAndInitializeSid 15405->15406 15412 406f55 15405->15412 15407 406f1c CheckTokenMembership 15406->15407 15410 406f44 15406->15410 15408 406f3b FreeSid 15407->15408 15409 406f2e 15407->15409 15408->15410 15409->15408 15410->15412 15439 406e36 GetUserNameW 15410->15439 15412->15027 15415 40920e 15413->15415 15417 409308 15413->15417 15414 4092f1 Sleep 15414->15415 15415->15414 15415->15415 15416 4092bf ShellExecuteA 15415->15416 15415->15417 15416->15415 15416->15417 15417->15044 15419 40ef32 15418->15419 15419->15043 15421 40f0f1 15420->15421 15422 40f0ed 15420->15422 15423 40f119 15421->15423 15424 40f0fa lstrlenA SysAllocStringByteLen 15421->15424 15422->15049 15426 40f11c MultiByteToWideChar 15423->15426 15425 40f117 15424->15425 15424->15426 15425->15049 15426->15425 15428 401820 17 API calls 15427->15428 15429 4018f2 15428->15429 15430 4018f9 15429->15430 15442 401280 15429->15442 15430->15044 15432 401908 15432->15044 15454 401000 15433->15454 15435 401839 15436 401851 GetCurrentProcess 15435->15436 15437 40183d 15435->15437 15438 401864 15436->15438 15437->15035 15438->15035 15440 406e97 15439->15440 15441 406e5f LookupAccountNameW 15439->15441 15440->15412 15441->15440 15443 4012e1 15442->15443 15444 4016f9 GetLastError 15443->15444 15451 4013a8 15443->15451 15450 401699 15444->15450 15445 401570 lstrlenW 15445->15451 15446 4015be GetStartupInfoW 15446->15451 15447 4015ff CreateProcessWithLogonW 15448 4016bf GetLastError 15447->15448 15449 40163f WaitForSingleObject 15447->15449 15448->15450 15449->15451 15452 401659 CloseHandle 15449->15452 15450->15432 15451->15445 15451->15446 15451->15447 15451->15450 15453 401668 CloseHandle 15451->15453 15452->15451 15453->15451 15455 40100d LoadLibraryA 15454->15455 15468 401023 15454->15468 15456 401021 15455->15456 15455->15468 15456->15435 15457 4010b5 GetProcAddress 15458 4010d1 GetProcAddress 15457->15458 15459 40127b 15457->15459 15458->15459 15460 4010f0 GetProcAddress 15458->15460 15459->15435 15460->15459 15461 401110 GetProcAddress 15460->15461 15461->15459 15462 401130 GetProcAddress 15461->15462 15462->15459 15463 40114f GetProcAddress 15462->15463 15463->15459 15464 40116f GetProcAddress 15463->15464 15464->15459 15465 40118f GetProcAddress 15464->15465 15465->15459 15466 4011ae GetProcAddress 15465->15466 15466->15459 15467 4011ce GetProcAddress 15466->15467 15467->15459 15469 4011ee GetProcAddress 15467->15469 15468->15457 15474 4010ae 15468->15474 15469->15459 15470 401209 GetProcAddress 15469->15470 15470->15459 15471 401225 GetProcAddress 15470->15471 15471->15459 15472 401241 GetProcAddress 15471->15472 15472->15459 15473 40125c GetProcAddress 15472->15473 15473->15459 15474->15435 15477 4069b9 WriteFile 15475->15477 15478 406a3c 15477->15478 15480 4069ff 15477->15480 15478->15058 15478->15059 15479 406a10 WriteFile 15479->15478 15479->15480 15480->15478 15480->15479 15482 40eb17 15481->15482 15483 40eb21 15481->15483 15485 40eae4 15482->15485 15483->15063 15486 40eb02 GetProcAddress 15485->15486 15487 40eaed LoadLibraryA 15485->15487 15486->15483 15487->15486 15488 40eb01 15487->15488 15488->15483 15490 40eba7 GetProcessHeap HeapSize 15489->15490 15491 40ebbf GetProcessHeap HeapFree 15489->15491 15490->15491 15491->15092 15493 40908d 15492->15493 15494 4090e2 wsprintfA 15493->15494 15495 40ee2a 15494->15495 15496 4090fd CreateFileA 15495->15496 15497 40911a lstrlenA WriteFile CloseHandle 15496->15497 15498 40913f 15496->15498 15497->15498 15498->15101 15498->15102 15500 40ee2a 15499->15500 15501 409794 CreateProcessA 15500->15501 15502 4097c2 15501->15502 15503 4097bb 15501->15503 15504 4097d4 GetThreadContext 15502->15504 15503->15113 15505 409801 15504->15505 15506 4097f5 15504->15506 15513 40637c 15505->15513 15507 4097f6 TerminateProcess 15506->15507 15507->15503 15509 409816 15509->15507 15510 40981e WriteProcessMemory 15509->15510 15510->15506 15511 40983b SetThreadContext 15510->15511 15511->15506 15512 409858 ResumeThread 15511->15512 15512->15503 15514 406386 15513->15514 15515 40638a GetModuleHandleA VirtualAlloc 15513->15515 15514->15509 15516 4063f5 15515->15516 15517 4063b6 15515->15517 15516->15509 15518 4063be VirtualAllocEx 15517->15518 15518->15516 15519 4063d6 15518->15519 15520 4063df WriteProcessMemory 15519->15520 15520->15516 15522 40dd41 InterlockedExchange 15521->15522 15523 40dd20 GetCurrentThreadId 15522->15523 15527 40dd4a 15522->15527 15524 40dd53 GetCurrentThreadId 15523->15524 15525 40dd2e GetTickCount 15523->15525 15524->15116 15526 40dd39 Sleep 15525->15526 15525->15527 15526->15522 15527->15524 15529 40dbf0 15528->15529 15561 40db67 GetEnvironmentVariableA 15529->15561 15531 40dc19 15532 40dcda 15531->15532 15533 40db67 3 API calls 15531->15533 15532->15118 15534 40dc5c 15533->15534 15534->15532 15535 40db67 3 API calls 15534->15535 15536 40dc9b 15535->15536 15536->15532 15537 40db67 3 API calls 15536->15537 15537->15532 15539 40db55 15538->15539 15540 40db3a 15538->15540 15539->15120 15539->15125 15565 40ebed 15540->15565 15574 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15542->15574 15544 40e3be 15544->15120 15545 40e342 15545->15544 15577 40de24 15545->15577 15548 40e528 15547->15548 15549 40e3f4 15547->15549 15548->15131 15550 40e434 RegQueryValueExA 15549->15550 15551 40e458 15550->15551 15552 40e51d RegCloseKey 15550->15552 15553 40e46e RegQueryValueExA 15551->15553 15552->15548 15553->15551 15554 40e488 15553->15554 15554->15552 15555 40db2e 8 API calls 15554->15555 15556 40e499 15555->15556 15556->15552 15557 40e4b9 RegQueryValueExA 15556->15557 15558 40e4e8 15556->15558 15557->15556 15557->15558 15558->15552 15559 40e332 14 API calls 15558->15559 15560 40e513 15559->15560 15560->15552 15562 40db89 lstrcpyA CreateFileA 15561->15562 15563 40dbca 15561->15563 15562->15531 15563->15531 15566 40ec01 15565->15566 15567 40ebf6 15565->15567 15569 40eba0 codecvt 2 API calls 15566->15569 15568 40ebcc 4 API calls 15567->15568 15570 40ebfe 15568->15570 15571 40ec0a GetProcessHeap HeapReAlloc 15569->15571 15570->15539 15572 40eb74 2 API calls 15571->15572 15573 40ec28 15572->15573 15573->15539 15588 40eb41 15574->15588 15578 40de3a 15577->15578 15584 40de4e 15578->15584 15592 40dd84 15578->15592 15581 40ebed 8 API calls 15586 40def6 15581->15586 15582 40de9e 15582->15581 15582->15584 15583 40de76 15596 40ddcf 15583->15596 15584->15545 15586->15584 15587 40ddcf lstrcmpA 15586->15587 15587->15584 15589 40eb4a 15588->15589 15591 40eb54 15588->15591 15590 40eae4 2 API calls 15589->15590 15590->15591 15591->15545 15593 40ddc5 15592->15593 15594 40dd96 15592->15594 15593->15582 15593->15583 15594->15593 15595 40ddad lstrcmpiA 15594->15595 15595->15593 15595->15594 15597 40de20 15596->15597 15598 40dddd 15596->15598 15597->15584 15598->15597 15599 40ddfa lstrcmpA 15598->15599 15599->15598 15601 40dd05 6 API calls 15600->15601 15602 40e821 15601->15602 15603 40dd84 lstrcmpiA 15602->15603 15604 40e82c 15603->15604 15605 40e844 15604->15605 15648 402480 15604->15648 15605->15145 15608 40dd05 6 API calls 15607->15608 15609 40df7c 15608->15609 15610 40dd84 lstrcmpiA 15609->15610 15614 40df89 15610->15614 15611 40dfc4 15611->15151 15612 40ddcf lstrcmpA 15612->15614 15613 40ec2e codecvt 4 API calls 15613->15614 15614->15611 15614->15612 15614->15613 15615 40dd84 lstrcmpiA 15614->15615 15615->15614 15617 40ea98 15616->15617 15657 40e8a1 15617->15657 15619 401e84 15619->15154 15621 4019d5 GetProcAddress GetProcAddress GetProcAddress 15620->15621 15622 4019ce 15620->15622 15623 401ab3 FreeLibrary 15621->15623 15624 401a04 15621->15624 15622->15158 15623->15622 15624->15623 15625 401a14 GetProcessHeap 15624->15625 15625->15622 15627 401a2e HeapAlloc 15625->15627 15627->15622 15628 401a42 15627->15628 15629 401a52 HeapReAlloc 15628->15629 15631 401a62 15628->15631 15629->15631 15630 401aa1 FreeLibrary 15630->15622 15631->15630 15632 401a96 HeapFree 15631->15632 15632->15630 15685 401ac3 LoadLibraryA 15633->15685 15636 401bcf 15636->15170 15638 401ac3 12 API calls 15637->15638 15639 401c09 15638->15639 15640 401c41 15639->15640 15641 401c0d GetComputerNameA 15639->15641 15640->15177 15642 401c45 GetVolumeInformationA 15641->15642 15643 401c1f 15641->15643 15642->15640 15643->15640 15643->15642 15645 40ee2a 15644->15645 15646 4030d0 gethostname gethostbyname 15645->15646 15647 401f82 15646->15647 15647->15182 15647->15184 15651 402419 lstrlenA 15648->15651 15650 402491 15650->15605 15652 402474 15651->15652 15653 40243d lstrlenA 15651->15653 15652->15650 15654 402464 lstrlenA 15653->15654 15655 40244e lstrcmpiA 15653->15655 15654->15652 15654->15653 15655->15654 15656 40245c 15655->15656 15656->15652 15656->15654 15658 40dd05 6 API calls 15657->15658 15659 40e8b4 15658->15659 15660 40dd84 lstrcmpiA 15659->15660 15661 40e8c0 15660->15661 15662 40e90a 15661->15662 15663 40e8c8 lstrcpynA 15661->15663 15664 402419 4 API calls 15662->15664 15673 40ea27 15662->15673 15665 40e8f5 15663->15665 15666 40e926 lstrlenA lstrlenA 15664->15666 15678 40df4c 15665->15678 15667 40e96a 15666->15667 15668 40e94c lstrlenA 15666->15668 15672 40ebcc 4 API calls 15667->15672 15667->15673 15668->15667 15670 40e901 15671 40dd84 lstrcmpiA 15670->15671 15671->15662 15674 40e98f 15672->15674 15673->15619 15674->15673 15675 40df4c 20 API calls 15674->15675 15676 40ea1e 15675->15676 15677 40ec2e codecvt 4 API calls 15676->15677 15677->15673 15679 40dd05 6 API calls 15678->15679 15680 40df51 15679->15680 15681 40f04e 4 API calls 15680->15681 15682 40df58 15681->15682 15683 40de24 10 API calls 15682->15683 15684 40df63 15683->15684 15684->15670 15686 401ae2 GetProcAddress 15685->15686 15691 401b68 GetComputerNameA GetVolumeInformationA 15685->15691 15687 401af5 15686->15687 15686->15691 15688 40ebed 8 API calls 15687->15688 15690 401b29 15687->15690 15688->15687 15689 40ec2e codecvt 4 API calls 15689->15691 15690->15689 15690->15690 15690->15691 15691->15636 15693 406ec3 2 API calls 15692->15693 15694 407ef4 15693->15694 15695 4073ff 17 API calls 15694->15695 15704 407fc9 15694->15704 15696 407f16 15695->15696 15696->15704 15705 407809 GetUserNameA 15696->15705 15698 407f63 15699 40ef1e lstrlenA 15698->15699 15698->15704 15700 407fa6 15699->15700 15701 40ef1e lstrlenA 15700->15701 15702 407fb7 15701->15702 15729 407a95 RegOpenKeyExA 15702->15729 15704->15193 15706 40783d LookupAccountNameA 15705->15706 15712 407a8d 15705->15712 15707 407874 GetLengthSid GetFileSecurityA 15706->15707 15706->15712 15708 4078a8 GetSecurityDescriptorOwner 15707->15708 15707->15712 15709 4078c5 EqualSid 15708->15709 15710 40791d GetSecurityDescriptorDacl 15708->15710 15709->15710 15711 4078dc LocalAlloc 15709->15711 15710->15712 15723 407941 15710->15723 15711->15710 15713 4078ef InitializeSecurityDescriptor 15711->15713 15712->15698 15715 407916 LocalFree 15713->15715 15716 4078fb SetSecurityDescriptorOwner 15713->15716 15714 40795b GetAce 15714->15723 15715->15710 15716->15715 15717 40790b SetFileSecurityA 15716->15717 15717->15715 15718 407980 EqualSid 15718->15723 15719 407a3d 15719->15712 15722 407a43 LocalAlloc 15719->15722 15720 4079be EqualSid 15720->15723 15721 40799d DeleteAce 15721->15723 15722->15712 15724 407a56 InitializeSecurityDescriptor 15722->15724 15723->15712 15723->15714 15723->15718 15723->15719 15723->15720 15723->15721 15725 407a62 SetSecurityDescriptorDacl 15724->15725 15726 407a86 LocalFree 15724->15726 15725->15726 15727 407a73 SetFileSecurityA 15725->15727 15726->15712 15727->15726 15728 407a83 15727->15728 15728->15726 15730 407ac4 15729->15730 15731 407acb GetUserNameA 15729->15731 15730->15704 15732 407da7 RegCloseKey 15731->15732 15733 407aed LookupAccountNameA 15731->15733 15732->15730 15733->15732 15734 407b24 RegGetKeySecurity 15733->15734 15734->15732 15735 407b49 GetSecurityDescriptorOwner 15734->15735 15736 407b63 EqualSid 15735->15736 15737 407bb8 GetSecurityDescriptorDacl 15735->15737 15736->15737 15739 407b74 LocalAlloc 15736->15739 15738 407da6 15737->15738 15746 407bdc 15737->15746 15738->15732 15739->15737 15740 407b8a InitializeSecurityDescriptor 15739->15740 15741 407bb1 LocalFree 15740->15741 15742 407b96 SetSecurityDescriptorOwner 15740->15742 15741->15737 15742->15741 15744 407ba6 RegSetKeySecurity 15742->15744 15743 407bf8 GetAce 15743->15746 15744->15741 15745 407c1d EqualSid 15745->15746 15746->15738 15746->15743 15746->15745 15747 407cd9 15746->15747 15748 407c5f EqualSid 15746->15748 15749 407c3a DeleteAce 15746->15749 15747->15738 15750 407d5a LocalAlloc 15747->15750 15752 407cf2 RegOpenKeyExA 15747->15752 15748->15746 15749->15746 15750->15738 15751 407d70 InitializeSecurityDescriptor 15750->15751 15753 407d7c SetSecurityDescriptorDacl 15751->15753 15754 407d9f LocalFree 15751->15754 15752->15750 15757 407d0f 15752->15757 15753->15754 15755 407d8c RegSetKeySecurity 15753->15755 15754->15738 15755->15754 15756 407d9c 15755->15756 15756->15754 15758 407d43 RegSetValueExA 15757->15758 15758->15750 15759 407d54 15758->15759 15759->15750 15760->15212 15762 40dd05 6 API calls 15761->15762 15765 40e65f 15762->15765 15763 40e6a5 15764 40ebcc 4 API calls 15763->15764 15768 40e6f5 15763->15768 15767 40e6b0 15764->15767 15765->15763 15766 40e68c lstrcmpA 15765->15766 15766->15765 15767->15768 15770 40e6b7 15767->15770 15771 40e6e0 lstrcpynA 15767->15771 15769 40e71d lstrcmpA 15768->15769 15768->15770 15769->15768 15770->15214 15771->15768 15772->15220 15774 40c525 15773->15774 15775 40c532 15773->15775 15774->15775 15778 40ec2e codecvt 4 API calls 15774->15778 15776 40c548 15775->15776 15925 40e7ff 15775->15925 15779 40e7ff lstrcmpiA 15776->15779 15787 40c54f 15776->15787 15778->15775 15780 40c615 15779->15780 15781 40ebcc 4 API calls 15780->15781 15780->15787 15781->15787 15782 40c5d1 15785 40ebcc 4 API calls 15782->15785 15784 40e819 11 API calls 15786 40c5b7 15784->15786 15785->15787 15788 40f04e 4 API calls 15786->15788 15787->15233 15789 40c5bf 15788->15789 15789->15776 15789->15782 15791 402692 inet_addr 15790->15791 15792 40268e 15790->15792 15791->15792 15793 40269e gethostbyname 15791->15793 15794 40f428 15792->15794 15793->15792 15928 40f315 15794->15928 15799 40c8d2 15797->15799 15798 40c907 15798->15235 15799->15798 15800 40c517 23 API calls 15799->15800 15800->15798 15801 40f43e 15802 40f473 recv 15801->15802 15803 40f458 15802->15803 15804 40f47c 15802->15804 15803->15802 15803->15804 15804->15251 15806 40c670 15805->15806 15807 40c67d 15805->15807 15808 40ebcc 4 API calls 15806->15808 15809 40ebcc 4 API calls 15807->15809 15810 40c699 15807->15810 15808->15807 15809->15810 15811 40c6f3 15810->15811 15812 40c73c send 15810->15812 15811->15264 15811->15328 15812->15811 15814 40c770 15813->15814 15815 40c77d 15813->15815 15816 40ebcc 4 API calls 15814->15816 15817 40c799 15815->15817 15818 40ebcc 4 API calls 15815->15818 15816->15815 15819 40c7b5 15817->15819 15821 40ebcc 4 API calls 15817->15821 15818->15817 15820 40f43e recv 15819->15820 15822 40c7cb 15820->15822 15821->15819 15823 40f43e recv 15822->15823 15824 40c7d3 15822->15824 15823->15824 15824->15328 15941 407db7 15825->15941 15828 407e70 15830 407e96 15828->15830 15832 40f04e 4 API calls 15828->15832 15829 40f04e 4 API calls 15831 407e4c 15829->15831 15830->15328 15831->15828 15833 40f04e 4 API calls 15831->15833 15832->15830 15833->15828 15835 406ec3 2 API calls 15834->15835 15836 407fdd 15835->15836 15837 4080c2 CreateProcessA 15836->15837 15838 4073ff 17 API calls 15836->15838 15837->15316 15837->15317 15839 407fff 15838->15839 15839->15837 15840 407809 21 API calls 15839->15840 15841 40804d 15840->15841 15841->15837 15842 40ef1e lstrlenA 15841->15842 15843 40809e 15842->15843 15844 40ef1e lstrlenA 15843->15844 15845 4080af 15844->15845 15846 407a95 24 API calls 15845->15846 15846->15837 15848 407db7 2 API calls 15847->15848 15849 407eb8 15848->15849 15850 40f04e 4 API calls 15849->15850 15851 407ece DeleteFileA 15850->15851 15851->15328 15853 40dd05 6 API calls 15852->15853 15854 40e31d 15853->15854 15945 40e177 15854->15945 15856 40e326 15856->15288 15858 4031f3 15857->15858 15859 4031ec 15857->15859 15860 40ebcc 4 API calls 15858->15860 15859->15328 15873 4031fc 15860->15873 15861 403459 15863 40f04e 4 API calls 15861->15863 15862 40349d 15864 40ec2e codecvt 4 API calls 15862->15864 15865 40345f 15863->15865 15864->15859 15866 4030fa 4 API calls 15865->15866 15866->15859 15867 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15867->15873 15868 40344d 15869 40ec2e codecvt 4 API calls 15868->15869 15870 40344b 15869->15870 15870->15861 15870->15862 15872 403141 lstrcmpiA 15872->15873 15873->15859 15873->15867 15873->15868 15873->15870 15873->15872 15971 4030fa GetTickCount 15873->15971 15875 4030fa 4 API calls 15874->15875 15876 403c1a 15875->15876 15877 403ce6 15876->15877 15976 403a72 15876->15976 15877->15328 15880 403a72 9 API calls 15882 403c5e 15880->15882 15881 403a72 9 API calls 15881->15882 15882->15877 15882->15881 15883 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15882->15883 15883->15882 15885 403a10 15884->15885 15886 4030fa 4 API calls 15885->15886 15887 403a1a 15886->15887 15887->15328 15889 40dd05 6 API calls 15888->15889 15890 40e7be 15889->15890 15890->15328 15892 40c07e wsprintfA 15891->15892 15896 40c105 15891->15896 15985 40bfce GetTickCount wsprintfA 15892->15985 15894 40c0ef 15986 40bfce GetTickCount wsprintfA 15894->15986 15896->15328 15898 407047 15897->15898 15899 406f88 LookupAccountNameA 15897->15899 15898->15328 15901 407025 15899->15901 15902 406fcb 15899->15902 15903 406edd 5 API calls 15901->15903 15904 406fdb ConvertSidToStringSidA 15902->15904 15905 40702a wsprintfA 15903->15905 15904->15901 15906 406ff1 15904->15906 15905->15898 15907 407013 LocalFree 15906->15907 15907->15901 15909 40dd05 6 API calls 15908->15909 15910 40e85c 15909->15910 15911 40dd84 lstrcmpiA 15910->15911 15912 40e867 15911->15912 15913 40e885 lstrcpyA 15912->15913 15987 4024a5 15912->15987 15990 40dd69 15913->15990 15919 407db7 2 API calls 15918->15919 15920 407de1 15919->15920 15921 407e16 15920->15921 15922 40f04e 4 API calls 15920->15922 15921->15328 15923 407df2 15922->15923 15923->15921 15924 40f04e 4 API calls 15923->15924 15924->15921 15926 40dd84 lstrcmpiA 15925->15926 15927 40c58e 15926->15927 15927->15776 15927->15782 15927->15784 15929 40ca1d 15928->15929 15930 40f33b 15928->15930 15929->15248 15929->15801 15931 40f347 htons socket 15930->15931 15932 40f382 ioctlsocket 15931->15932 15933 40f374 closesocket 15931->15933 15934 40f3aa connect select 15932->15934 15935 40f39d 15932->15935 15933->15929 15934->15929 15937 40f3f2 __WSAFDIsSet 15934->15937 15936 40f39f closesocket 15935->15936 15936->15929 15937->15936 15938 40f403 ioctlsocket 15937->15938 15940 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15938->15940 15940->15929 15942 407dc8 InterlockedExchange 15941->15942 15943 407dc0 Sleep 15942->15943 15944 407dd4 15942->15944 15943->15942 15944->15828 15944->15829 15946 40e184 15945->15946 15947 40e2e4 15946->15947 15948 40e223 15946->15948 15961 40dfe2 15946->15961 15947->15856 15948->15947 15950 40dfe2 8 API calls 15948->15950 15954 40e23c 15950->15954 15951 40e1be 15951->15948 15952 40dbcf 3 API calls 15951->15952 15955 40e1d6 15952->15955 15953 40e21a CloseHandle 15953->15948 15954->15947 15965 40e095 RegCreateKeyExA 15954->15965 15955->15948 15955->15953 15956 40e1f9 WriteFile 15955->15956 15956->15953 15958 40e213 15956->15958 15958->15953 15959 40e2a3 15959->15947 15960 40e095 4 API calls 15959->15960 15960->15947 15962 40dffc 15961->15962 15964 40e024 15961->15964 15963 40db2e 8 API calls 15962->15963 15962->15964 15963->15964 15964->15951 15966 40e0c0 15965->15966 15967 40e172 15965->15967 15968 40e13d 15966->15968 15970 40e115 RegSetValueExA 15966->15970 15967->15959 15969 40e14e RegDeleteValueA RegCloseKey 15968->15969 15969->15967 15970->15966 15970->15968 15972 403122 InterlockedExchange 15971->15972 15973 40312e 15972->15973 15974 40310f GetTickCount 15972->15974 15973->15873 15974->15973 15975 40311a Sleep 15974->15975 15975->15972 15977 40f04e 4 API calls 15976->15977 15980 403a83 15977->15980 15978 403ac1 15978->15877 15978->15880 15979 403be6 15982 40ec2e codecvt 4 API calls 15979->15982 15980->15978 15981 403bc0 15980->15981 15984 403b66 lstrlenA 15980->15984 15981->15979 15983 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15981->15983 15982->15978 15983->15981 15984->15978 15984->15980 15985->15894 15986->15896 15988 402419 4 API calls 15987->15988 15989 4024b6 15988->15989 15989->15913 15991 40dd79 lstrlenA 15990->15991 15991->15328 15993 404084 15992->15993 15994 40407d 15992->15994 15995 403ecd 6 API calls 15993->15995 15996 40408f 15995->15996 15997 404000 3 API calls 15996->15997 15999 404095 15997->15999 15998 404130 16000 403ecd 6 API calls 15998->16000 15999->15998 16004 403f18 4 API calls 15999->16004 16001 404159 CreateNamedPipeA 16000->16001 16002 404167 Sleep 16001->16002 16003 404188 ConnectNamedPipe 16001->16003 16002->15998 16005 404176 CloseHandle 16002->16005 16007 404195 GetLastError 16003->16007 16017 4041ab 16003->16017 16006 4040da 16004->16006 16005->16003 16008 403f8c 4 API calls 16006->16008 16009 40425e DisconnectNamedPipe 16007->16009 16007->16017 16010 4040ec 16008->16010 16009->16003 16011 404127 CloseHandle 16010->16011 16012 404101 16010->16012 16011->15998 16013 403f18 4 API calls 16012->16013 16014 40411c ExitProcess 16013->16014 16015 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16015->16017 16016 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16016->16017 16017->16003 16017->16009 16017->16015 16017->16016 16018 40426a CloseHandle CloseHandle 16017->16018 16019 40e318 23 API calls 16018->16019 16020 40427b 16019->16020 16020->16020 16022 408791 16021->16022 16023 40879f 16021->16023 16024 40f04e 4 API calls 16022->16024 16025 4087bc 16023->16025 16026 40f04e 4 API calls 16023->16026 16024->16023 16027 40e819 11 API calls 16025->16027 16026->16025 16028 4087d7 16027->16028 16040 408803 16028->16040 16042 4026b2 gethostbyaddr 16028->16042 16030 4087eb 16032 40e8a1 30 API calls 16030->16032 16030->16040 16032->16040 16035 40e819 11 API calls 16035->16040 16036 4088a0 Sleep 16036->16040 16038 4026b2 2 API calls 16038->16040 16039 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16039->16040 16040->16035 16040->16036 16040->16038 16040->16039 16041 40e8a1 30 API calls 16040->16041 16047 40c4d6 16040->16047 16050 40c4e2 16040->16050 16053 402011 16040->16053 16088 408328 16040->16088 16041->16040 16043 4026fb 16042->16043 16044 4026cd 16042->16044 16043->16030 16045 4026e1 inet_ntoa 16044->16045 16046 4026de 16044->16046 16045->16046 16046->16030 16140 40c2dc 16047->16140 16051 40c2dc 141 API calls 16050->16051 16052 40c4ec 16051->16052 16052->16040 16054 402020 16053->16054 16055 40202e 16053->16055 16056 40f04e 4 API calls 16054->16056 16057 40204b 16055->16057 16058 40f04e 4 API calls 16055->16058 16056->16055 16059 40206e GetTickCount 16057->16059 16060 40f04e 4 API calls 16057->16060 16058->16057 16061 4020db GetTickCount 16059->16061 16071 402090 16059->16071 16063 402068 16060->16063 16062 402132 GetTickCount GetTickCount 16061->16062 16074 4020e7 16061->16074 16065 40f04e 4 API calls 16062->16065 16063->16059 16064 4020d4 GetTickCount 16064->16061 16067 402159 16065->16067 16066 40212b GetTickCount 16066->16062 16069 4021b4 16067->16069 16073 40e854 13 API calls 16067->16073 16068 402684 2 API calls 16068->16071 16072 40f04e 4 API calls 16069->16072 16071->16064 16071->16068 16077 4020ce 16071->16077 16475 401978 16071->16475 16076 4021d1 16072->16076 16078 40218e 16073->16078 16074->16066 16079 402125 16074->16079 16082 401978 15 API calls 16074->16082 16480 402ef8 16074->16480 16080 4021f2 16076->16080 16083 40ea84 30 API calls 16076->16083 16077->16064 16081 40e819 11 API calls 16078->16081 16079->16066 16080->16040 16084 40219c 16081->16084 16082->16074 16085 4021ec 16083->16085 16084->16069 16488 401c5f 16084->16488 16086 40f04e 4 API calls 16085->16086 16086->16080 16089 407dd6 6 API calls 16088->16089 16090 40833c 16089->16090 16091 406ec3 2 API calls 16090->16091 16099 408340 16090->16099 16092 40834f 16091->16092 16093 40835c 16092->16093 16096 40846b 16092->16096 16094 4073ff 17 API calls 16093->16094 16102 408373 16094->16102 16095 40675c 21 API calls 16113 4085df 16095->16113 16100 4084a7 RegOpenKeyExA 16096->16100 16125 408450 16096->16125 16097 408626 GetTempPathA 16098 408638 16097->16098 16560 406ba7 IsBadCodePtr 16098->16560 16099->16040 16103 4084c0 RegQueryValueExA 16100->16103 16112 40852f 16100->16112 16102->16099 16119 4083ea RegOpenKeyExA 16102->16119 16102->16125 16105 408521 RegCloseKey 16103->16105 16109 4084dd 16103->16109 16104 4086ad 16106 408762 16104->16106 16108 407e2f 6 API calls 16104->16108 16105->16112 16106->16099 16111 40ec2e codecvt 4 API calls 16106->16111 16107 408564 RegOpenKeyExA 16114 408573 16107->16114 16121 4085a5 16107->16121 16118 4086bb 16108->16118 16109->16105 16115 40ebcc 4 API calls 16109->16115 16110 40875b DeleteFileA 16110->16106 16111->16099 16112->16107 16112->16121 16113->16097 16113->16098 16113->16106 16114->16114 16116 408585 RegSetValueExA RegCloseKey 16114->16116 16117 4084f0 16115->16117 16116->16121 16117->16105 16120 4084f8 RegQueryValueExA 16117->16120 16118->16110 16126 4086e0 lstrcpyA lstrlenA 16118->16126 16122 4083fd RegQueryValueExA 16119->16122 16119->16125 16120->16105 16123 408515 16120->16123 16124 40ec2e codecvt 4 API calls 16121->16124 16121->16125 16127 40842d RegSetValueExA 16122->16127 16128 40841e 16122->16128 16129 40ec2e codecvt 4 API calls 16123->16129 16124->16125 16125->16095 16125->16113 16131 407fcf 64 API calls 16126->16131 16132 408447 RegCloseKey 16127->16132 16128->16127 16128->16132 16130 40851d 16129->16130 16130->16105 16133 408719 CreateProcessA 16131->16133 16132->16125 16134 40873d CloseHandle CloseHandle 16133->16134 16135 40874f 16133->16135 16134->16106 16136 407ee6 64 API calls 16135->16136 16137 408754 16136->16137 16138 407ead 6 API calls 16137->16138 16139 40875a 16138->16139 16139->16110 16156 40a4c7 GetTickCount 16140->16156 16143 40c300 GetTickCount 16145 40c337 16143->16145 16144 40c326 16144->16145 16146 40c32b GetTickCount 16144->16146 16150 40c363 GetTickCount 16145->16150 16151 40c45e 16145->16151 16146->16145 16147 40c4d2 16147->16040 16148 40c4ab InterlockedIncrement CreateThread 16148->16147 16149 40c4cb CloseHandle 16148->16149 16161 40b535 16148->16161 16149->16147 16150->16151 16152 40c373 16150->16152 16151->16147 16151->16148 16153 40c378 GetTickCount 16152->16153 16154 40c37f 16152->16154 16153->16154 16155 40c43b GetTickCount 16154->16155 16155->16151 16157 40a4f7 InterlockedExchange 16156->16157 16158 40a500 16157->16158 16159 40a4e4 GetTickCount 16157->16159 16158->16143 16158->16144 16158->16151 16159->16158 16160 40a4ef Sleep 16159->16160 16160->16157 16162 40b566 16161->16162 16163 40ebcc 4 API calls 16162->16163 16164 40b587 16163->16164 16165 40ebcc 4 API calls 16164->16165 16192 40b590 16165->16192 16166 40bdcd InterlockedDecrement 16167 40bde2 16166->16167 16169 40ec2e codecvt 4 API calls 16167->16169 16170 40bdea 16169->16170 16171 40ec2e codecvt 4 API calls 16170->16171 16173 40bdf2 16171->16173 16172 40bdb7 Sleep 16172->16192 16174 40be05 16173->16174 16176 40ec2e codecvt 4 API calls 16173->16176 16175 40bdcc 16175->16166 16176->16174 16177 40ebed 8 API calls 16177->16192 16180 40b6b6 lstrlenA 16180->16192 16181 4030b5 2 API calls 16181->16192 16182 40b6ed lstrcpyA 16236 405ce1 16182->16236 16183 40e819 11 API calls 16183->16192 16186 40b731 lstrlenA 16186->16192 16187 40b71f lstrcmpA 16187->16186 16187->16192 16188 40b772 GetTickCount 16188->16192 16189 40bd49 InterlockedIncrement 16333 40a628 16189->16333 16192->16166 16192->16172 16192->16175 16192->16177 16192->16180 16192->16181 16192->16182 16192->16183 16192->16186 16192->16187 16192->16188 16192->16189 16193 40bc5b InterlockedIncrement 16192->16193 16194 40b7ce InterlockedIncrement 16192->16194 16197 40b912 GetTickCount 16192->16197 16198 40b826 InterlockedIncrement 16192->16198 16199 40b932 GetTickCount 16192->16199 16200 40bcdc closesocket 16192->16200 16202 4038f0 6 API calls 16192->16202 16204 40bba6 InterlockedIncrement 16192->16204 16207 40bc4c closesocket 16192->16207 16210 405ce1 22 API calls 16192->16210 16211 40ba71 wsprintfA 16192->16211 16212 405ded 12 API calls 16192->16212 16214 40ab81 lstrcpynA InterlockedIncrement 16192->16214 16215 40a7c1 22 API calls 16192->16215 16216 40ef1e lstrlenA 16192->16216 16218 403e10 16192->16218 16221 403e4f 16192->16221 16224 40384f 16192->16224 16244 40a7a3 inet_ntoa 16192->16244 16251 40abee 16192->16251 16263 401feb GetTickCount 16192->16263 16264 40a688 16192->16264 16287 403cfb 16192->16287 16290 40b3c5 16192->16290 16321 40ab81 16192->16321 16193->16192 16246 40acd7 16194->16246 16197->16192 16198->16188 16199->16192 16201 40bc6d InterlockedIncrement 16199->16201 16200->16192 16201->16192 16202->16192 16204->16192 16207->16192 16210->16192 16267 40a7c1 16211->16267 16212->16192 16214->16192 16215->16192 16216->16192 16219 4030fa 4 API calls 16218->16219 16220 403e1d 16219->16220 16220->16192 16222 4030fa 4 API calls 16221->16222 16223 403e5c 16222->16223 16223->16192 16225 4030fa 4 API calls 16224->16225 16226 403863 16225->16226 16227 4038b9 16226->16227 16228 403889 16226->16228 16235 4038b2 16226->16235 16342 4035f9 16227->16342 16336 403718 16228->16336 16233 403718 6 API calls 16233->16235 16234 4035f9 6 API calls 16234->16235 16235->16192 16237 405cf4 16236->16237 16238 405cec 16236->16238 16240 404bd1 4 API calls 16237->16240 16348 404bd1 GetTickCount 16238->16348 16241 405d02 16240->16241 16353 405472 16241->16353 16245 40a7b9 16244->16245 16245->16192 16247 40f315 14 API calls 16246->16247 16248 40aceb 16247->16248 16249 40acff 16248->16249 16250 40f315 14 API calls 16248->16250 16249->16192 16250->16249 16252 40abfb 16251->16252 16255 40ac65 16252->16255 16416 402f22 16252->16416 16254 40f315 14 API calls 16254->16255 16255->16254 16256 40ac8a 16255->16256 16257 40ac6f 16255->16257 16256->16192 16259 40ab81 2 API calls 16257->16259 16258 40ac23 16258->16255 16260 402684 2 API calls 16258->16260 16261 40ac81 16259->16261 16260->16258 16424 4038f0 16261->16424 16263->16192 16438 40a63d 16264->16438 16266 40a696 16266->16192 16268 40a87d lstrlenA send 16267->16268 16269 40a7df 16267->16269 16270 40a899 16268->16270 16271 40a8bf 16268->16271 16269->16268 16276 40a7fa wsprintfA 16269->16276 16278 40a80a 16269->16278 16279 40a8f2 16269->16279 16272 40a8a5 wsprintfA 16270->16272 16286 40a89e 16270->16286 16273 40a8c4 send 16271->16273 16271->16279 16272->16286 16275 40a8d8 wsprintfA 16273->16275 16273->16279 16274 40a978 recv 16274->16279 16280 40a982 16274->16280 16275->16286 16276->16278 16277 40a9b0 wsprintfA 16277->16286 16278->16268 16279->16274 16279->16277 16279->16280 16281 4030b5 2 API calls 16280->16281 16280->16286 16282 40ab05 16281->16282 16283 40e819 11 API calls 16282->16283 16284 40ab17 16283->16284 16285 40a7a3 inet_ntoa 16284->16285 16285->16286 16286->16192 16288 4030fa 4 API calls 16287->16288 16289 403d0b 16288->16289 16289->16192 16291 405ce1 22 API calls 16290->16291 16292 40b3e6 16291->16292 16293 405ce1 22 API calls 16292->16293 16294 40b404 16293->16294 16295 40ef7c 3 API calls 16294->16295 16301 40b440 16294->16301 16297 40b42b 16295->16297 16296 40ef7c 3 API calls 16298 40b458 wsprintfA 16296->16298 16299 40ef7c 3 API calls 16297->16299 16300 40ef7c 3 API calls 16298->16300 16299->16301 16302 40b480 16300->16302 16301->16296 16303 40ef7c 3 API calls 16302->16303 16304 40b493 16303->16304 16305 40ef7c 3 API calls 16304->16305 16306 40b4bb 16305->16306 16443 40ad89 GetLocalTime SystemTimeToFileTime 16306->16443 16310 40b4cc 16311 40ef7c 3 API calls 16310->16311 16312 40b4dd 16311->16312 16313 40b211 7 API calls 16312->16313 16314 40b4ec 16313->16314 16315 40ef7c 3 API calls 16314->16315 16316 40b4fd 16315->16316 16317 40b211 7 API calls 16316->16317 16318 40b509 16317->16318 16319 40ef7c 3 API calls 16318->16319 16320 40b51a 16319->16320 16320->16192 16322 40abe9 GetTickCount 16321->16322 16324 40ab8c 16321->16324 16326 40a51d 16322->16326 16323 40aba8 lstrcpynA 16323->16324 16324->16322 16324->16323 16325 40abe1 InterlockedIncrement 16324->16325 16325->16324 16327 40a4c7 4 API calls 16326->16327 16328 40a52c 16327->16328 16329 40a542 GetTickCount 16328->16329 16331 40a539 GetTickCount 16328->16331 16329->16331 16332 40a56c 16331->16332 16332->16192 16334 40a4c7 4 API calls 16333->16334 16335 40a633 16334->16335 16335->16192 16337 40f04e 4 API calls 16336->16337 16339 40372a 16337->16339 16338 403847 16338->16233 16338->16235 16339->16338 16340 4037b3 GetCurrentThreadId 16339->16340 16340->16339 16341 4037c8 GetCurrentThreadId 16340->16341 16341->16339 16343 40f04e 4 API calls 16342->16343 16346 40360c 16343->16346 16344 4036f1 16344->16234 16344->16235 16345 4036da GetCurrentThreadId 16345->16344 16347 4036e5 GetCurrentThreadId 16345->16347 16346->16344 16346->16345 16347->16344 16349 404bff InterlockedExchange 16348->16349 16350 404c08 16349->16350 16351 404bec GetTickCount 16349->16351 16350->16237 16351->16350 16352 404bf7 Sleep 16351->16352 16352->16349 16372 404763 16353->16372 16355 405b58 16382 404699 16355->16382 16358 404763 lstrlenA 16359 405b6e 16358->16359 16403 404f9f 16359->16403 16361 405b79 16361->16192 16363 405549 lstrlenA 16370 40548a 16363->16370 16364 405472 13 API calls 16364->16370 16366 40558d lstrcpynA 16366->16370 16367 405a9f lstrcpyA 16367->16370 16368 405935 lstrcpynA 16368->16370 16369 4058e7 lstrcpyA 16369->16370 16370->16355 16370->16364 16370->16366 16370->16367 16370->16368 16370->16369 16371 404ae6 8 API calls 16370->16371 16376 404ae6 16370->16376 16380 40ef7c lstrlenA lstrlenA lstrlenA 16370->16380 16371->16370 16374 40477a 16372->16374 16373 404859 16373->16370 16374->16373 16375 40480d lstrlenA 16374->16375 16375->16374 16377 404af3 16376->16377 16379 404b03 16376->16379 16378 40ebed 8 API calls 16377->16378 16378->16379 16379->16363 16381 40efb4 16380->16381 16381->16370 16408 4045b3 16382->16408 16385 4045b3 7 API calls 16386 4046c6 16385->16386 16387 4045b3 7 API calls 16386->16387 16388 4046d8 16387->16388 16389 4045b3 7 API calls 16388->16389 16390 4046ea 16389->16390 16391 4045b3 7 API calls 16390->16391 16392 4046ff 16391->16392 16393 4045b3 7 API calls 16392->16393 16394 404711 16393->16394 16395 4045b3 7 API calls 16394->16395 16396 404723 16395->16396 16397 40ef7c 3 API calls 16396->16397 16398 404735 16397->16398 16399 40ef7c 3 API calls 16398->16399 16400 40474a 16399->16400 16401 40ef7c 3 API calls 16400->16401 16402 40475c 16401->16402 16402->16358 16404 404fac 16403->16404 16407 404fb0 16403->16407 16404->16361 16405 404ffd 16405->16361 16406 404fd5 IsBadCodePtr 16406->16407 16407->16405 16407->16406 16409 4045c1 16408->16409 16411 4045c8 16408->16411 16410 40ebcc 4 API calls 16409->16410 16410->16411 16412 40ebcc 4 API calls 16411->16412 16414 4045e1 16411->16414 16412->16414 16413 404691 16413->16385 16414->16413 16415 40ef7c 3 API calls 16414->16415 16415->16414 16431 402d21 GetModuleHandleA 16416->16431 16419 402fcf GetProcessHeap HeapFree 16423 402f44 16419->16423 16420 402f85 16420->16419 16420->16420 16421 402f4f 16422 402f6b GetProcessHeap HeapFree 16421->16422 16422->16423 16423->16258 16425 403900 16424->16425 16426 403980 16424->16426 16427 4030fa 4 API calls 16425->16427 16426->16256 16430 40390a 16427->16430 16428 40391b GetCurrentThreadId 16428->16430 16429 403939 GetCurrentThreadId 16429->16430 16430->16426 16430->16428 16430->16429 16432 402d46 LoadLibraryA 16431->16432 16433 402d5b GetProcAddress 16431->16433 16432->16433 16435 402d54 16432->16435 16434 402d6b 16433->16434 16433->16435 16434->16435 16436 402d97 GetProcessHeap HeapAlloc 16434->16436 16437 402db5 lstrcpynA 16434->16437 16435->16420 16435->16421 16435->16423 16436->16434 16436->16435 16437->16434 16439 40a645 16438->16439 16440 40a64d 16438->16440 16439->16266 16441 40a66e 16440->16441 16442 40a65e GetTickCount 16440->16442 16441->16266 16442->16441 16444 40adbf 16443->16444 16468 40ad08 gethostname 16444->16468 16447 4030b5 2 API calls 16448 40add3 16447->16448 16449 40a7a3 inet_ntoa 16448->16449 16456 40ade4 16448->16456 16449->16456 16450 40ae85 wsprintfA 16451 40ef7c 3 API calls 16450->16451 16453 40aebb 16451->16453 16452 40ae36 wsprintfA wsprintfA 16454 40ef7c 3 API calls 16452->16454 16455 40ef7c 3 API calls 16453->16455 16454->16456 16457 40aed2 16455->16457 16456->16450 16456->16452 16458 40b211 16457->16458 16459 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16458->16459 16460 40b2af GetLocalTime 16458->16460 16461 40b2d2 16459->16461 16460->16461 16462 40b2d9 SystemTimeToFileTime 16461->16462 16463 40b31c GetTimeZoneInformation 16461->16463 16464 40b2ec 16462->16464 16465 40b33a wsprintfA 16463->16465 16466 40b312 FileTimeToSystemTime 16464->16466 16465->16310 16466->16463 16469 40ad71 16468->16469 16470 40ad26 lstrlenA 16468->16470 16471 40ad85 16469->16471 16472 40ad79 lstrcpyA 16469->16472 16470->16469 16474 40ad68 lstrlenA 16470->16474 16471->16447 16472->16471 16474->16469 16476 40f428 14 API calls 16475->16476 16477 40198a 16476->16477 16478 401990 closesocket 16477->16478 16479 401998 16477->16479 16478->16479 16479->16071 16481 402d21 6 API calls 16480->16481 16482 402f01 16481->16482 16483 402f0f 16482->16483 16496 402df2 GetModuleHandleA 16482->16496 16484 402684 2 API calls 16483->16484 16487 402f1f 16483->16487 16486 402f1d 16484->16486 16486->16074 16487->16074 16489 401c80 16488->16489 16490 401cc2 wsprintfA 16489->16490 16491 401d1c 16489->16491 16495 401d79 16489->16495 16492 402684 2 API calls 16490->16492 16491->16491 16493 401d47 wsprintfA 16491->16493 16492->16489 16494 402684 2 API calls 16493->16494 16494->16495 16495->16069 16497 402e10 LoadLibraryA 16496->16497 16498 402e0b 16496->16498 16499 402e17 16497->16499 16498->16497 16498->16499 16500 402e28 GetProcAddress 16499->16500 16501 402ef1 16499->16501 16500->16501 16502 402e3e GetProcessHeap HeapAlloc 16500->16502 16501->16483 16504 402e62 16502->16504 16503 402ede GetProcessHeap HeapFree 16503->16501 16504->16501 16504->16503 16505 402e7f htons inet_addr 16504->16505 16506 402ea5 gethostbyname 16504->16506 16508 402ceb 16504->16508 16505->16504 16505->16506 16506->16504 16509 402cf2 16508->16509 16511 402d1c 16509->16511 16512 402d0e Sleep 16509->16512 16513 402a62 GetProcessHeap HeapAlloc 16509->16513 16511->16504 16512->16509 16512->16511 16514 402a92 16513->16514 16515 402a99 socket 16513->16515 16514->16509 16516 402cd3 GetProcessHeap HeapFree 16515->16516 16517 402ab4 16515->16517 16516->16514 16517->16516 16531 402abd 16517->16531 16518 402adb htons 16533 4026ff 16518->16533 16520 402b04 select 16520->16531 16521 402ca4 16522 402cb3 GetProcessHeap HeapFree closesocket 16521->16522 16522->16514 16523 402b3f recv 16523->16531 16524 402b66 htons 16524->16521 16524->16531 16525 402b87 htons 16525->16521 16525->16531 16528 402bf3 GetProcessHeap HeapAlloc 16528->16531 16529 402c17 htons 16548 402871 16529->16548 16531->16518 16531->16520 16531->16521 16531->16522 16531->16523 16531->16524 16531->16525 16531->16528 16531->16529 16532 402c4d GetProcessHeap HeapFree 16531->16532 16540 402923 16531->16540 16552 402904 16531->16552 16532->16531 16534 40271d 16533->16534 16535 402717 16533->16535 16537 40272b GetTickCount htons 16534->16537 16536 40ebcc 4 API calls 16535->16536 16536->16534 16538 4027cc htons htons sendto 16537->16538 16539 40278a 16537->16539 16538->16531 16539->16538 16541 402944 16540->16541 16543 40293d 16540->16543 16556 402816 htons 16541->16556 16543->16531 16544 402950 16544->16543 16545 402871 htons 16544->16545 16546 4029bd htons htons htons 16544->16546 16545->16544 16546->16543 16547 4029f6 GetProcessHeap HeapAlloc 16546->16547 16547->16543 16547->16544 16549 4028e3 16548->16549 16550 402889 16548->16550 16549->16531 16550->16549 16551 4028c3 htons 16550->16551 16551->16549 16551->16550 16553 402921 16552->16553 16554 402908 16552->16554 16553->16531 16555 402909 GetProcessHeap HeapFree 16554->16555 16555->16553 16555->16555 16557 40286b 16556->16557 16558 402836 16556->16558 16557->16544 16558->16557 16559 40285c htons 16558->16559 16559->16557 16559->16558 16561 406bbc 16560->16561 16562 406bc0 16560->16562 16561->16104 16563 40ebcc 4 API calls 16562->16563 16573 406bd4 16562->16573 16564 406be4 16563->16564 16565 406c07 CreateFileA 16564->16565 16566 406bfc 16564->16566 16564->16573 16567 406c34 WriteFile 16565->16567 16568 406c2a 16565->16568 16569 40ec2e codecvt 4 API calls 16566->16569 16571 406c49 CloseHandle DeleteFileA 16567->16571 16572 406c5a CloseHandle 16567->16572 16570 40ec2e codecvt 4 API calls 16568->16570 16569->16573 16570->16573 16571->16568 16574 40ec2e codecvt 4 API calls 16572->16574 16573->16104 16574->16573 16575 1ba0005 16580 1ba092b GetPEB 16575->16580 16577 1ba0030 16582 1ba003c 16577->16582 16581 1ba0972 16580->16581 16581->16577 16583 1ba0049 16582->16583 16597 1ba0e0f SetErrorMode SetErrorMode 16583->16597 16588 1ba0265 16589 1ba02ce VirtualProtect 16588->16589 16591 1ba030b 16589->16591 16590 1ba0439 VirtualFree 16595 1ba05f4 LoadLibraryA 16590->16595 16596 1ba04be 16590->16596 16591->16590 16592 1ba04e3 LoadLibraryA 16592->16596 16594 1ba08c7 16595->16594 16596->16592 16596->16595 16598 1ba0223 16597->16598 16599 1ba0d90 16598->16599 16600 1ba0dad 16599->16600 16601 1ba0dbb GetPEB 16600->16601 16602 1ba0238 VirtualAlloc 16600->16602 16601->16602 16602->16588
                                                                                                                                                                APIs
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                                                • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                                                                                • API String ID: 2089075347-2824936573
                                                                                                                                                                • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                                                                • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                                                                • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                                                                • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 543 40964c-409662 526->543 544 40966d-409679 526->544 534 409683 call 4091eb 527->534 552 409530-409537 531->552 553 409539-409565 call 402544 RegQueryValueExA 531->553 536 40957a-40957f 532->536 540 409688-409690 534->540 541 409581-409584 536->541 542 40958a-40958d 536->542 547 409692 540->547 548 409698-4096a0 540->548 541->523 541->542 542->527 549 409593-40959a 542->549 550 409664-40966b 543->550 551 40962b-40962d 543->551 544->534 547->548 557 4096a2-4096a9 548->557 558 40961a-40961f 549->558 559 40959c-4095a1 549->559 550->551 551->557 560 40956e-409577 RegCloseKey 552->560 553->560 565 409567 553->565 563 409625 558->563 559->558 564 4095a3-4095c0 call 40f0e4 559->564 560->536 563->551 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->560 570->557 574 4095e1-4095f9 570->574 571->563 574->557 575 4095ff-409607 574->575 575->557
                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                • String ID: PromptOnSecureDesktop$runas
                                                                                                                                                                • API String ID: 3696105349-2220793183
                                                                                                                                                                • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                                                                • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 634 406b01 632->634 636 406b03-406b08 634->636 637 406b0a-406b17 call 40eca5 634->637 636->618 636->637 637->618
                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 1251348514-2980165447
                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 823 1c2046b-1c20484 824 1c20486-1c20488 823->824 825 1c2048a 824->825 826 1c2048f-1c2049b CreateToolhelp32Snapshot 824->826 825->826 827 1c204ab-1c204b8 Module32First 826->827 828 1c2049d-1c204a3 826->828 829 1c204c1-1c204c9 827->829 830 1c204ba-1c204bb call 1c2012a 827->830 828->827 833 1c204a5-1c204a9 828->833 834 1c204c0 830->834 833->824 833->827 834->829
                                                                                                                                                                APIs
                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 01C20493
                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 01C204B3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, Offset: 01C1B000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1c1b000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                • Instruction ID: 3c84d87d7cc011b529535a3edf7ca431b678e720a3ec34b2917f70c824b1146c
                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                • Instruction Fuzzy Hash: D7F0F632100321EFE7203BF8AC8DB6E76F8BF49230F20462AF646910C0DB70E9054660
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 839 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                  • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                                                                                  • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$AllocateSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2559512979-0
                                                                                                                                                                • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                                                • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                                                                                • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                                                • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 382 4077e0-4077e2 379->382 383 4077de 379->383 380->379 382->359 383->382
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3433985886-3108538426
                                                                                                                                                                • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                                                • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->403 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 486 4073a4 483->486 487 4073a6-4073a9 483->487 484->483 488 407397 484->488 486->487 489 4073b9-4073bc 487->489 490 4073ab-4073b8 call 40ef00 487->490 488->483 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                                                                                                • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                                                                                                • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: $"$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 4293430545-98143240
                                                                                                                                                                • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                                                • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 FindCloseChangeNotification 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 603 4068bd-4068c3 600->603 601->603 604 4068c5 603->604 605 4068c8-4068ce 603->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 611 406922-406958 610->611 611->587
                                                                                                                                                                APIs
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1400801100-0
                                                                                                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 640 1ba003c-1ba0047 641 1ba0049 640->641 642 1ba004c-1ba0263 call 1ba0a3f call 1ba0e0f call 1ba0d90 VirtualAlloc 640->642 641->642 657 1ba028b-1ba0292 642->657 658 1ba0265-1ba0289 call 1ba0a69 642->658 660 1ba02a1-1ba02b0 657->660 662 1ba02ce-1ba03c2 VirtualProtect call 1ba0cce call 1ba0ce7 658->662 660->662 663 1ba02b2-1ba02cc 660->663 669 1ba03d1-1ba03e0 662->669 663->660 670 1ba0439-1ba04b8 VirtualFree 669->670 671 1ba03e2-1ba0437 call 1ba0ce7 669->671 673 1ba04be-1ba04cd 670->673 674 1ba05f4-1ba05fe 670->674 671->669 676 1ba04d3-1ba04dd 673->676 677 1ba077f-1ba0789 674->677 678 1ba0604-1ba060d 674->678 676->674 682 1ba04e3-1ba0505 LoadLibraryA 676->682 680 1ba078b-1ba07a3 677->680 681 1ba07a6-1ba07b0 677->681 678->677 683 1ba0613-1ba0637 678->683 680->681 684 1ba086e-1ba08be LoadLibraryA 681->684 685 1ba07b6-1ba07cb 681->685 686 1ba0517-1ba0520 682->686 687 1ba0507-1ba0515 682->687 688 1ba063e-1ba0648 683->688 692 1ba08c7-1ba08f9 684->692 689 1ba07d2-1ba07d5 685->689 690 1ba0526-1ba0547 686->690 687->690 688->677 691 1ba064e-1ba065a 688->691 693 1ba07d7-1ba07e0 689->693 694 1ba0824-1ba0833 689->694 695 1ba054d-1ba0550 690->695 691->677 696 1ba0660-1ba066a 691->696 697 1ba08fb-1ba0901 692->697 698 1ba0902-1ba091d 692->698 699 1ba07e2 693->699 700 1ba07e4-1ba0822 693->700 704 1ba0839-1ba083c 694->704 701 1ba05e0-1ba05ef 695->701 702 1ba0556-1ba056b 695->702 703 1ba067a-1ba0689 696->703 697->698 699->694 700->689 701->676 705 1ba056f-1ba057a 702->705 706 1ba056d 702->706 707 1ba068f-1ba06b2 703->707 708 1ba0750-1ba077a 703->708 704->684 709 1ba083e-1ba0847 704->709 711 1ba059b-1ba05bb 705->711 712 1ba057c-1ba0599 705->712 706->701 713 1ba06ef-1ba06fc 707->713 714 1ba06b4-1ba06ed 707->714 708->688 715 1ba084b-1ba086c 709->715 716 1ba0849 709->716 723 1ba05bd-1ba05db 711->723 712->723 717 1ba074b 713->717 718 1ba06fe-1ba0748 713->718 714->713 715->704 716->684 717->703 718->717 723->695
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01BA024D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                • Instruction ID: 17c8ab306c13c338b87bc1105f843d92ba2bf3a8ceff4a51ee0e811d5dbf232b
                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                • Instruction Fuzzy Hash: 47527974A01229DFDB64CF68C984BACBBB1BF09304F5480D9E94DAB351DB30AA94CF14
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                  • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                  • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                  • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                  • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                  • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 4131120076-2980165447
                                                                                                                                                                • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                                                                • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                                                                                • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                                                                • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 743 404059-40405c 741->743 744 404052 742->744 745 404037-40403a 742->745 746 404054-404056 743->746 744->746 745->744 747 40403c-40403f 745->747 747->743 748 404041-404050 Sleep 747->748 748->740 748->744
                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 408151869-2980165447
                                                                                                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 759 406a53-406a56 756->759 760 406a59 756->760 757->756 758 406a04-406a08 757->758 762 406a0a-406a0d 758->762 763 406a3c-406a3e 758->763 759->760 761 406a5b-406a5f 760->761 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                                                • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                • String ID: ,k@
                                                                                                                                                                • API String ID: 3934441357-1053005162
                                                                                                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 769 406dc2-406dd5 770 406e33-406e35 769->770 771 406dd7-406df1 call 406cc9 call 40ef00 769->771 776 406df4-406df9 771->776 776->776 777 406dfb-406e00 776->777 778 406e02-406e22 GetVolumeInformationA 777->778 779 406e24 777->779 778->779 780 406e2e 778->780 779->780 780->770
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                                                • String ID: Xw
                                                                                                                                                                • API String ID: 1823874839-290828094
                                                                                                                                                                • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                                                • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 781 4091eb-409208 782 409308 781->782 783 40920e-40921c call 40ed03 781->783 784 40930b-40930f 782->784 787 40921e-40922c call 40ed03 783->787 788 40923f-409249 783->788 787->788 795 40922e-409230 787->795 789 409250-409270 call 40ee08 788->789 790 40924b 788->790 797 409272-40927f 789->797 798 4092dd-4092e1 789->798 790->789 796 409233-409238 795->796 796->796 799 40923a-40923c 796->799 800 409281-409285 797->800 801 40929b-40929e 797->801 802 4092e3-4092e5 798->802 803 4092e7-4092e8 798->803 799->788 800->800 804 409287 800->804 806 4092a0 801->806 807 40928e-409293 801->807 802->803 805 4092ea-4092ef 802->805 803->798 804->801 811 4092f1-4092f6 Sleep 805->811 812 4092fc-409302 805->812 808 4092a8-4092ab 806->808 809 409295-409298 807->809 810 409289-40928c 807->810 813 4092a2-4092a5 808->813 814 4092ad-4092b0 808->814 809->808 815 40929a 809->815 810->807 810->815 811->812 812->782 812->783 816 4092b2 813->816 817 4092a7 813->817 814->816 818 4092bd 814->818 815->801 819 4092b5-4092b9 816->819 817->808 820 4092bf-4092db ShellExecuteA 818->820 819->819 821 4092bb 819->821 820->798 822 409310-409324 820->822 821->820 822->784
                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                                                                                • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4194306370-0
                                                                                                                                                                • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                                                                • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                                                                                • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                                                                • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 836 1ba0e0f-1ba0e24 SetErrorMode * 2 837 1ba0e2b-1ba0e2c 836->837 838 1ba0e26 836->838 838->837
                                                                                                                                                                APIs
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,01BA0223,?,?), ref: 01BA0E19
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,01BA0223,?,?), ref: 01BA0E1E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                • Instruction ID: 8e1551b3fd85681e0abde4d6efc29f5ad6f6bc8350b15209521bb16e22067699
                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                • Instruction Fuzzy Hash: C0D0123154512877DB003A94DC09BCD7F1CDF09B62F408051FB0DD9080C770954046E5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 01C2017B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, Offset: 01C1B000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1c1b000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                • Instruction ID: 7dde187c58915179e08def3c5b9d32fae7148e36ff8c9104328cc631ff60b43e
                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                • Instruction Fuzzy Hash: 33113C79A00208EFDB01DF98C985E98BFF5AF08350F158095F9489B361D371EA90EF80
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                                                                                • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                                                                                • wsprintfA.USER32 ref: 0040CD21
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                                                                                • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                                                                                • wsprintfA.USER32 ref: 0040D81F
                                                                                                                                                                  • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                                                • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                                                • API String ID: 562065436-3791576231
                                                                                                                                                                • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                                                                • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                                                                                • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                                                                • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                                                                                • API String ID: 1628651668-179334549
                                                                                                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                                                                • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                                                • select.WS2_32 ref: 00402B28
                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1639031587-0
                                                                                                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2404124870-2980165447
                                                                                                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                • String ID: *p@
                                                                                                                                                                • API String ID: 3429775523-2474123842
                                                                                                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 01BA65F6
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 01BA6610
                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 01BA6631
                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 01BA6652
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                • Instruction ID: 11e5f4793ea04acf4d2f810d5cd764ab4a0277495068909ef4800a02a9697b0b
                                                                                                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                • Instruction Fuzzy Hash: 0211A3B1604219BFEB259F79DC05FDB3FA8EB057A5F044064FA08E7250D7B1DD0086A4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                                                                                • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                                                                                  • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                                                                                  • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3754425949-0
                                                                                                                                                                • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                                                                • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                                                                                • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                                                                • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: .$GetProcAddress.$l
                                                                                                                                                                • API String ID: 0-2784972518
                                                                                                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                • Instruction ID: f7622bca67e8a0fabde06d80a345122eb701df6b79c10c88792d6d3f5031eead
                                                                                                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                • Instruction Fuzzy Hash: 4A318DB6904609DFEB14DF99C880AAEBBF5FF08324F54418AE841A7310D771EA45CFA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 03fd4745e96db8b8e148b9ba84f42d287e57e518810e0ff804ed2376424d8b03
                                                                                                                                                                • Instruction ID: d38669364c2824b197179c0a83fb8b6da93bb079ef524c7dff3da19512612e44
                                                                                                                                                                • Opcode Fuzzy Hash: 03fd4745e96db8b8e148b9ba84f42d287e57e518810e0ff804ed2376424d8b03
                                                                                                                                                                • Instruction Fuzzy Hash: 5C715BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790CBB86488CF98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, Offset: 01C1B000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1c1b000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                • Instruction ID: 6f20f355e19978d19393eca3ae304c83d516e1a07ca65d2cfe620551aad9505d
                                                                                                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                • Instruction Fuzzy Hash: 7011C272380101DFD700DF69DC90FB277EAEB8A220B598069ED14CB319E675E802C761
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                • Instruction ID: a9288426af110887927f38d54eb2e1c204fe17af71f6a895adfea3484f7c3f4a
                                                                                                                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                • Instruction Fuzzy Hash: 0001F773A006009FDF26EF24C804BAE33E5EB86205F8940E4EA0697242E370A9418B80
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 01BA9E6D
                                                                                                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 01BA9FE1
                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 01BA9FF2
                                                                                                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 01BAA004
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 01BAA054
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 01BAA09F
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 01BAA0D6
                                                                                                                                                                • lstrcpy.KERNEL32 ref: 01BAA12F
                                                                                                                                                                • lstrlen.KERNEL32(00000022), ref: 01BAA13C
                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 01BA9F13
                                                                                                                                                                  • Part of subcall function 01BA7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 01BA7081
                                                                                                                                                                  • Part of subcall function 01BA6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kofydeki,01BA7043), ref: 01BA6F4E
                                                                                                                                                                  • Part of subcall function 01BA6F30: GetProcAddress.KERNEL32(00000000), ref: 01BA6F55
                                                                                                                                                                  • Part of subcall function 01BA6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 01BA6F7B
                                                                                                                                                                  • Part of subcall function 01BA6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 01BA6F92
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 01BAA1A2
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 01BAA1C5
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 01BAA214
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 01BAA21B
                                                                                                                                                                • GetDriveTypeA.KERNEL32(?), ref: 01BAA265
                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 01BAA29F
                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 01BAA2C5
                                                                                                                                                                • lstrcat.KERNEL32(?,00000022), ref: 01BAA2D9
                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 01BAA2F4
                                                                                                                                                                • wsprintfA.USER32 ref: 01BAA31D
                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 01BAA345
                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 01BAA364
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 01BAA387
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 01BAA398
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 01BAA1D1
                                                                                                                                                                  • Part of subcall function 01BA9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 01BA999D
                                                                                                                                                                  • Part of subcall function 01BA9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 01BA99BD
                                                                                                                                                                  • Part of subcall function 01BA9966: RegCloseKey.ADVAPI32(?), ref: 01BA99C6
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 01BAA3DB
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 01BAA3E2
                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 01BAA41D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                                                                • String ID: "$"$"$D$P$\
                                                                                                                                                                • API String ID: 1653845638-2605685093
                                                                                                                                                                • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                • Instruction ID: 840337fd80ca1390cf98264b212ab3c904ddb727a67e9a59ef406b4004719167
                                                                                                                                                                • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                • Instruction Fuzzy Hash: F7F130B1C44259AEDF25DBB4CC88EEF7BBCEB18304F8444E6E605E2141E7759A84CB64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2976863881-1403908072
                                                                                                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 01BA7D21
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 01BA7D46
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 01BA7D7D
                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 01BA7DA2
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 01BA7DC0
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 01BA7DD1
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 01BA7DE5
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 01BA7DF3
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 01BA7E03
                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 01BA7E12
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 01BA7E19
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01BA7E35
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2976863881-1403908072
                                                                                                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                • Instruction ID: deaf6837e076087170967d9c33c9feff18e65c9de7742827fec301becc721fb7
                                                                                                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                • Instruction Fuzzy Hash: C6A15071904219AFDF259FA4DD48FEEBFBDFB08301F4480A9E605E2150DB768A85CB64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                                                • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 01BA7A96
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 01BA7ACD
                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 01BA7ADF
                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 01BA7B01
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 01BA7B1F
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 01BA7B39
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 01BA7B4A
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 01BA7B58
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 01BA7B68
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 01BA7B77
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 01BA7B7E
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01BA7B9A
                                                                                                                                                                • GetAce.ADVAPI32(?,?,?), ref: 01BA7BCA
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 01BA7BF1
                                                                                                                                                                • DeleteAce.ADVAPI32(?,?), ref: 01BA7C0A
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 01BA7C2C
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 01BA7CB1
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 01BA7CBF
                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 01BA7CD0
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 01BA7CE0
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 01BA7CEE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction ID: 154fb69196c4edf94e1570a8a24e1f2b794250cb37dd7f883ef3840bcdee17d4
                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction Fuzzy Hash: B0814E71908219AFDB15CFA4DD44FEEBFB8EF08300F4481BAE605E6150EB769645CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                • String ID: PromptOnSecureDesktop$localcfg
                                                                                                                                                                • API String ID: 237177642-1678164370
                                                                                                                                                                • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                                                • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                                                • API String ID: 835516345-270533642
                                                                                                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 01BA865A
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 01BA867B
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 01BA86A8
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 01BA86B1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 237177642-3108538426
                                                                                                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                • Instruction ID: 98cef93c622c76c28ef1122a60446c3e7b1ceb8cbc6e6f143ea161a6437f54ba
                                                                                                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                • Instruction Fuzzy Hash: 00C1C4B1944109BEFF15ABA8EC84EEF7FBDEB18301F5440E5F604E6050EB704A948B65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 01BA1601
                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 01BA17D8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                • String ID: $<$@$D
                                                                                                                                                                • API String ID: 1628651668-1974347203
                                                                                                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                • Instruction ID: dbec250d873bfd32235f88a1ca9f436a2f89b3ed8de6859b79b937f9834d023d
                                                                                                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                • Instruction Fuzzy Hash: 2FF19FB15083419FD724CF68C888BABBBE5FB88304F80896DF69697390D7B4D944CB56
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 01BA76D9
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 01BA7757
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 01BA778F
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 01BA78B4
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA794E
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 01BA796D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA797E
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA79AC
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA7A56
                                                                                                                                                                  • Part of subcall function 01BAF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,01BA772A,?), ref: 01BAF414
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 01BA79F6
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA7A4D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3433985886-3108538426
                                                                                                                                                                • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                • Instruction ID: 0df2ac55ec15c26ccd376e453ddbc45771a6e97e69a2a5f124d81ac36deb45b3
                                                                                                                                                                • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                • Instruction Fuzzy Hash: 15C1847190C10ABBEF259FA8DC44FEE7BB9EF55310F9440E6E504E6150EF729A848B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 01BA2CED
                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 01BA2D07
                                                                                                                                                                • htons.WS2_32(00000000), ref: 01BA2D42
                                                                                                                                                                • select.WS2_32 ref: 01BA2D8F
                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 01BA2DB1
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 01BA2E62
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 127016686-0
                                                                                                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                • Instruction ID: 0c407ff5aa5cfbd3363c3443276a1f7afa6302e656a43c7c48ad310ba9dc8fba
                                                                                                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                • Instruction Fuzzy Hash: 7A61057150C305AFC729AF64DC48B6BBBE8FB48341F4048D9FA8897151D7B5D8848BA6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                                                • API String ID: 929413710-2099955842
                                                                                                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32(?), ref: 01BA95A7
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 01BA95D5
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 01BA95DC
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA9635
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA9673
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA96F4
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 01BA9758
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 01BA978D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 01BA97D8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3696105349-2980165447
                                                                                                                                                                • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                • Instruction ID: d0921e2365c1bff9afb475d9790d0106b33abe0729cba344b647963a7ec55810
                                                                                                                                                                • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                • Instruction Fuzzy Hash: AAA19CB1904208EBEF29DFA4CC84FDE3BACEB04744F5040A6FA15D2151E7B5D9849BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                • API String ID: 1586166983-142018493
                                                                                                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 01BA3068
                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 01BA3078
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 01BA3095
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 01BA30B6
                                                                                                                                                                • htons.WS2_32(00000035), ref: 01BA30EF
                                                                                                                                                                • inet_addr.WS2_32(?), ref: 01BA30FA
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 01BA310D
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 01BA314D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                • String ID: iphlpapi.dll
                                                                                                                                                                • API String ID: 2869546040-3565520932
                                                                                                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                • Instruction ID: b817f1597e199ab4dbe396c61b7621fed9c74f030b1f56632ef56c06fb6d62cc
                                                                                                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                • Instruction Fuzzy Hash: A531D631A04606ABEF159BBD9C48BAE7BF8FF04360F5441A5E618E32A0DB74E5418B58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                                                • API String ID: 3560063639-3847274415
                                                                                                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                                                                                • API String ID: 1082366364-2834986871
                                                                                                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2981417381-1403908072
                                                                                                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 01BA67C3
                                                                                                                                                                • htonl.WS2_32(?), ref: 01BA67DF
                                                                                                                                                                • htonl.WS2_32(?), ref: 01BA67EE
                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 01BA68F1
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 01BA69BC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                                                                                • String ID: except_info$localcfg
                                                                                                                                                                • API String ID: 1150517154-3605449297
                                                                                                                                                                • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                • Instruction ID: d3fe59b055f06adc5bab866fac99d4a6617e837cdd138f42e90a02869a4fdad0
                                                                                                                                                                • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                • Instruction Fuzzy Hash: 8A617EB1A40208AFDF649FB4DC45FEA77E9FB08300F14806AFA6DD2161EB7599948F14
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • htons.WS2_32(01BACC84), ref: 01BAF5B4
                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 01BAF5CE
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 01BAF5DC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                • Instruction ID: fb939f77be6905a3aad12d27ab332ea98117b704b2f5162a63c470b5c75825a0
                                                                                                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                • Instruction Fuzzy Hash: C2315A72904119ABDB11DFA9DC88DEE7BBCEF88310F5045AAF915E3150E7709A81CBE4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?), ref: 01BA2FA1
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 01BA2FB1
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 01BA2FC8
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 01BA3000
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 01BA3007
                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 01BA3032
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                • String ID: dnsapi.dll
                                                                                                                                                                • API String ID: 1242400761-3175542204
                                                                                                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                • Instruction ID: dfc353f720bc6f83d1acfffa06d8e7319a6b9b2d6c5ceeb2a2921108af891ef3
                                                                                                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                • Instruction Fuzzy Hash: 2121A471944225BBCB229B58DC44AEEBFBCFF08B10F4084A1F901E7150D7B59A8187D4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Code
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3609698214-2980165447
                                                                                                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kofydeki,01BA7043), ref: 01BA6F4E
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 01BA6F55
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 01BA6F7B
                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 01BA6F92
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\kofydeki
                                                                                                                                                                • API String ID: 1082366364-34391367
                                                                                                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                • Instruction ID: 752ad4b3389728f3932b5d96b692ddd5f9ef73d66be85e54c07e1b2e681fe47d
                                                                                                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                • Instruction Fuzzy Hash: 6421F26178834179F73A67399C88FFB2E4CCB66710F9840E9F504D6081DBDA84D682AD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2439722600-2980165447
                                                                                                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 01BA92E2
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA9350
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01BA9375
                                                                                                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 01BA9389
                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 01BA9394
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 01BA939B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2439722600-2980165447
                                                                                                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                • Instruction ID: 06dc13e205dacc6574d412b54c9edc31cab6aea0870b8e70fbc978fee3081191
                                                                                                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                • Instruction Fuzzy Hash: 781184B17441147BFB287B32EC0DFEF3A6DDBD8B11F4080A5BB09E5090EBB59A418664
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 01BA9A18
                                                                                                                                                                • GetThreadContext.KERNEL32(?,?), ref: 01BA9A52
                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 01BA9A60
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 01BA9A98
                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 01BA9AB5
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 01BA9AC2
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                • Instruction ID: 1eabe425df1386ccb734e9f5822cd8d1c6b3f6da563b98aeb15e69e8075d481e
                                                                                                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                • Instruction Fuzzy Hash: E7213BB1A05219BBDF219BA1DC49EEF7FBCEF08754F8040A1FA19E5050E7758A44CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(004102D8), ref: 01BA1C18
                                                                                                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 01BA1C26
                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 01BA1C84
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 01BA1C9D
                                                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 01BA1CC1
                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 01BA1D02
                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 01BA1D0B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2324436984-0
                                                                                                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                • Instruction ID: 7dea643b570ad01e1f4406c32df8cf67750c871cf3b41f57884638fd892807db
                                                                                                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                • Instruction Fuzzy Hash: B8315E31D04219BFDB55AFA8DC888AEBEB9EB45301F6444BAE601A6110D7B54E80CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 1586453840-2980165447
                                                                                                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 1371578007-2980165447
                                                                                                                                                                • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                                                • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01BA6CE4
                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 01BA6D22
                                                                                                                                                                • GetLastError.KERNEL32 ref: 01BA6DA7
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 01BA6DB5
                                                                                                                                                                • GetLastError.KERNEL32 ref: 01BA6DD6
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 01BA6DE7
                                                                                                                                                                • GetLastError.KERNEL32 ref: 01BA6DFD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3873183294-0
                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction ID: bd50fe4483f859d446ad0c864689f4b0d6f15c57ebc6dd1e9b8d17f798c2ea7d
                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction Fuzzy Hash: 6F3123B2804249BFDB05DFA8DD48ADE7F78EB48340F4881A5E291E3250D7708A858BA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3857584221-2980165447
                                                                                                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 01BA93C6
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 01BA93CD
                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 01BA93DB
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA9410
                                                                                                                                                                  • Part of subcall function 01BA92CB: GetTempPathA.KERNEL32(00000400,?), ref: 01BA92E2
                                                                                                                                                                  • Part of subcall function 01BA92CB: wsprintfA.USER32 ref: 01BA9350
                                                                                                                                                                  • Part of subcall function 01BA92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01BA9375
                                                                                                                                                                  • Part of subcall function 01BA92CB: lstrlen.KERNEL32(?,?,00000000), ref: 01BA9389
                                                                                                                                                                  • Part of subcall function 01BA92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 01BA9394
                                                                                                                                                                  • Part of subcall function 01BA92CB: CloseHandle.KERNEL32(00000000), ref: 01BA939B
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01BA9448
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3857584221-2980165447
                                                                                                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                • Instruction ID: 65f24feee07d5feac568e6077fc3f8410726befaf008420350189a4bbba9a9ff
                                                                                                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                • Instruction Fuzzy Hash: 01019EF69001187BEB21A7619D89EDF3B7CDB95701F0000A2BB09E2080EBB49BC48F75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                • String ID: $localcfg
                                                                                                                                                                • API String ID: 1659193697-2018645984
                                                                                                                                                                • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                                                                                • Instruction ID: 074c13fcb9bf45fdc4ca3d2f7794d19ee6bb1e94e207356d86dd99aaa347a78f
                                                                                                                                                                • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                                                                                • Instruction Fuzzy Hash: 3D712A71A4C3056BEF399A78DC85FEE3B69DB00704FA404EAFA45A30D0DB629584C7B5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 01BADF6C: GetCurrentThreadId.KERNEL32 ref: 01BADFBA
                                                                                                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 01BAE8FA
                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,01BA6128), ref: 01BAE950
                                                                                                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 01BAE989
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                • API String ID: 2920362961-1846390581
                                                                                                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                • Instruction ID: ce89ffb482e53db0b8bbff6c874050dd996fa981decb13d49e7d22f9605b7d2a
                                                                                                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                • Instruction Fuzzy Hash: 5531C431608706DBDF7ACF28C884BAA7BE4FF05720F8085ABE65587551D370E884CB91
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Code
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                • Instruction ID: 39db06b2da2632014b00f20b98b2dba888d1bb45191fcb192d212d80ea2b86fb
                                                                                                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                • Instruction Fuzzy Hash: 12216DB2208115FFDB19AB74EC48EDF7FADDB48260B5485A1F602D1090EB70DA009674
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 01BAC6B4
                                                                                                                                                                • InterlockedIncrement.KERNEL32(01BAC74B), ref: 01BAC715
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,01BAC747), ref: 01BAC728
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,01BAC747,00413588,01BA8A77), ref: 01BAC733
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1026198776-1857712256
                                                                                                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                • Instruction ID: d42521b93ca9f295ec90a86199a0acdf29f305e2f107a0c361cf24c8c2195f49
                                                                                                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                • Instruction Fuzzy Hash: B55115B1A05B418FD7688F6DC68562ABFE9FB48300B90597EE18BC7A90D774F8448B50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 124786226-2980165447
                                                                                                                                                                • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                                                • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2667537340-2980165447
                                                                                                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,01BAE50A,00000000,00000000,00000000,00020106,00000000,01BAE50A,00000000,000000E4), ref: 01BAE319
                                                                                                                                                                • RegSetValueExA.ADVAPI32(01BAE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 01BAE38E
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(01BAE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 01BAE3BF
                                                                                                                                                                • RegCloseKey.ADVAPI32(01BAE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,01BAE50A), ref: 01BAE3C8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 2667537340-2980165447
                                                                                                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                • Instruction ID: 68f93ae01dacd65650f38b19bf8d6053cf183d76481fc8baba7f937db0cf19a2
                                                                                                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                • Instruction Fuzzy Hash: AA217C31A0421DBBDF219FA8EC88EEE7FB8EF08750F4080A1F904A6051E771CA54C7A0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 01BA71E1
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 01BA7228
                                                                                                                                                                • LocalFree.KERNEL32(?,?,?), ref: 01BA7286
                                                                                                                                                                • wsprintfA.USER32 ref: 01BA729D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                                                                • String ID: |
                                                                                                                                                                • API String ID: 2539190677-2343686810
                                                                                                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                • Instruction ID: 2b4c9d1f75f84e8468592d64fabc699806b0c6fe6daf9424d4bf407636691f39
                                                                                                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                • Instruction Fuzzy Hash: 52314B72A08209BFDB05DFA8DC44ADE3BACEF04310F14C0A6F959DB101EB75E6488B94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 01BAB51A
                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01BAB529
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 01BAB548
                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 01BAB590
                                                                                                                                                                • wsprintfA.USER32 ref: 01BAB61E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4026320513-0
                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction ID: 256986010881a7c502806f9f047562f9cd4b9b533d37586ba76adbcd853e40ba
                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction Fuzzy Hash: 8B513FB1D0021DAACF18DFD5D9885EEBBB9FF48304F50816AF511A6150E7B84AC9CF98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 01BA6303
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 01BA632A
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 01BA63B1
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 01BA6405
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3498078134-0
                                                                                                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                • Instruction ID: 99ca3721b7738516c823628d2907f0151cda862059dc3b68f2a54df60e807a0d
                                                                                                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                • Instruction Fuzzy Hash: A6416DB1A08205EFEB18CF5CC884AADBBF5FF04354F5881A9E915D7290DB71E945CB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                                                • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                • String ID: A$ A
                                                                                                                                                                • API String ID: 3343386518-686259309
                                                                                                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                  • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1128258776-0
                                                                                                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                                                                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 3683885500-2980165447
                                                                                                                                                                • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                                                                • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                                                                                • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                                                                • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 01BADF6C: GetCurrentThreadId.KERNEL32 ref: 01BADFBA
                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,01BAA6AC), ref: 01BAE7BF
                                                                                                                                                                • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,01BAA6AC), ref: 01BAE7EA
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,01BAA6AC), ref: 01BAE819
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 1396056608-2980165447
                                                                                                                                                                • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                                                • Instruction ID: 0f0a07f658bc98a62b17f2b9161086beb5a76d130b14b5aeed5b86ded1eead9d
                                                                                                                                                                • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                                                • Instruction Fuzzy Hash: B92137B1A483023AFA257B759C05FEB3E0CCB74760F9000A5BA09A11D2EB65D55082B5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                • API String ID: 2574300362-1087626847
                                                                                                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 01BA76D9
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 01BA796D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA797E
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseEnumOpen
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 1332880857-2980165447
                                                                                                                                                                • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                                                • Instruction ID: 80cad8bdb78226bb900a4667f59d5cc37705c6b554b6f09df3521380fd4ebeaf
                                                                                                                                                                • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                                                • Instruction Fuzzy Hash: A011D370A08109AFEB128FADDC44FEFBF79EF55710F540195F615E6290EBB289408B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                • API String ID: 2777991786-2393279970
                                                                                                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                                                                                • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 849931509-2980165447
                                                                                                                                                                • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                                                                • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                                                                                • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                                                                • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 01BA999D
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(?,00000000), ref: 01BA99BD
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01BA99C6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 849931509-2980165447
                                                                                                                                                                • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                                                • Instruction ID: 8d9a5144cedc6703a6f117e77f04b309b17ccef7352bb4aafdde3deeb802fa4b
                                                                                                                                                                • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                                                • Instruction Fuzzy Hash: 6EF0C2B2680208BBF7116B54EC06FDF3A2CDB94B14F5000A0FA05B5081F7E59F9082B9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                • String ID: time_cfg$u6A
                                                                                                                                                                • API String ID: 1594361348-1940331995
                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction ID: 5d02147f21a0653b5fd121cbe75de5db8d443bd760461e2ad4d9de345225a20d
                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction Fuzzy Hash: EBE0C7306082218FDB418B2CF848ACA3BE4EF0A230F4081D1F080C32A1C734DCC0AB80
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 01BA69E5
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 01BA6A26
                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 01BA6A3A
                                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 01BA6BD8
                                                                                                                                                                  • Part of subcall function 01BAEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,01BA1DCF,?), ref: 01BAEEA8
                                                                                                                                                                  • Part of subcall function 01BAEE95: HeapFree.KERNEL32(00000000), ref: 01BAEEAF
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3384756699-0
                                                                                                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                • Instruction ID: c0b6b90bdb1c2aa2888dbe4c2fb6ab4a43461667529e3ef616a84d1df39de95c
                                                                                                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                • Instruction Fuzzy Hash: 8E7139B190421DEFDF15DFA8CC81AEEBBB9FB04310F9445AAE615E6190D7309E92CB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 01BA421F
                                                                                                                                                                • GetLastError.KERNEL32 ref: 01BA4229
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 01BA423A
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 01BA424D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction ID: 2370c1be5bef78155c05964b52c5e782cd177164a2602fb5d63c45119a93559e
                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction Fuzzy Hash: C2010872525209AFDF02DF94EE84BEF7BACEB08255F4080A1F901E2050D7B0DA548BB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 01BA41AB
                                                                                                                                                                • GetLastError.KERNEL32 ref: 01BA41B5
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 01BA41C6
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 01BA41D9
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction ID: a66f7c0ff47d6c2dbdf5365186ea53f8370a3912ae96fcd19630af024545524c
                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction Fuzzy Hash: FC014C7651110AAFDF01DF95EE85BEF3F6CEB18255F4044A1F901E2050D7B0EA508BB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 01BAE066
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp
                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                • API String ID: 1534048567-1846390581
                                                                                                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                • Instruction ID: 505886568bbe30f9f83443c29009d1bf0f795da9eb0fc77666a0515e8b0edcfb
                                                                                                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                • Instruction Fuzzy Hash: 08F09631204702DBCB35CF29D884A82BBE9FF0D321B8486ABE254D3060D374E4D8CB61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                                                                                  • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                  • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                                                  • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                                                  • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 4151426672-2980165447
                                                                                                                                                                • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                                                                • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                                                                                • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                                                                • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000001,01BA44E2,00000000,00000000,00000000), ref: 01BAE470
                                                                                                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 01BAE484
                                                                                                                                                                  • Part of subcall function 01BAE2FC: RegCreateKeyExA.ADVAPI32(80000001,01BAE50A,00000000,00000000,00000000,00020106,00000000,01BAE50A,00000000,000000E4), ref: 01BAE319
                                                                                                                                                                  • Part of subcall function 01BAE2FC: RegSetValueExA.ADVAPI32(01BAE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 01BAE38E
                                                                                                                                                                  • Part of subcall function 01BAE2FC: RegDeleteValueA.ADVAPI32(01BAE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 01BAE3BF
                                                                                                                                                                  • Part of subcall function 01BAE2FC: RegCloseKey.ADVAPI32(01BAE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,01BAE50A), ref: 01BAE3C8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 4151426672-2980165447
                                                                                                                                                                • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                • Instruction ID: 1b44ce79708feb50d55b6ef8243038ac6131803d3536fcc7b3abf3b17687b38d
                                                                                                                                                                • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                • Instruction Fuzzy Hash: 2041E4B2904205BAFF256A658C45FEF3F6CEB14720F8480A5FA09A4091E7B5C650DAB4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 01BA83C6
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 01BA8477
                                                                                                                                                                  • Part of subcall function 01BA69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 01BA69E5
                                                                                                                                                                  • Part of subcall function 01BA69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 01BA6A26
                                                                                                                                                                  • Part of subcall function 01BA69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 01BA6A3A
                                                                                                                                                                  • Part of subcall function 01BAEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,01BA1DCF,?), ref: 01BAEEA8
                                                                                                                                                                  • Part of subcall function 01BAEE95: HeapFree.KERNEL32(00000000), ref: 01BAEEAF
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 359188348-2980165447
                                                                                                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                • Instruction ID: f1993923d1aa1e32b3168624599c6b09ef980c6e95260b28464a0facb15d031d
                                                                                                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                • Instruction Fuzzy Hash: 7C4183B2908109BFEF19EBA49D80DFF7B6DEB14241F8444EAE604D6410FBB05A948B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,01BAE859,00000000,00020119,01BAE859,PromptOnSecureDesktop), ref: 01BAE64D
                                                                                                                                                                • RegCloseKey.ADVAPI32(01BAE859,?,?,?,?,000000C8,000000E4), ref: 01BAE787
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseOpen
                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                • API String ID: 47109696-2980165447
                                                                                                                                                                • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                                                • Instruction ID: ecf8252683ef69dcf0eede2d3d7e369c9df8db30978836e9e8a49ae9ca14bc18
                                                                                                                                                                • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                                                • Instruction Fuzzy Hash: 134118B2D0011DBFDF16EFE8DC80DEEBB7DEB18204F5444A6EA00B6160E7719A558B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 01BAAFFF
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 01BAB00D
                                                                                                                                                                  • Part of subcall function 01BAAF6F: gethostname.WS2_32(?,00000080), ref: 01BAAF83
                                                                                                                                                                  • Part of subcall function 01BAAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 01BAAFE6
                                                                                                                                                                  • Part of subcall function 01BA331C: gethostname.WS2_32(?,00000080), ref: 01BA333F
                                                                                                                                                                  • Part of subcall function 01BA331C: gethostbyname.WS2_32(?), ref: 01BA3349
                                                                                                                                                                  • Part of subcall function 01BAAA0A: inet_ntoa.WS2_32(00000000), ref: 01BAAA10
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                • String ID: %OUTLOOK_BND_
                                                                                                                                                                • API String ID: 1981676241-3684217054
                                                                                                                                                                • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                                                                                • Instruction ID: f67500593b6afbc170667991d070cc478a445b8f493409e5d5beed8195ed4146
                                                                                                                                                                • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                                                                                • Instruction Fuzzy Hash: 3D416FB294420DBBDF29EFA0DC45EEE3BACFF08300F54446AF92492151EB75E6548B54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 01BA9536
                                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 01BA955D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4194306370-3916222277
                                                                                                                                                                • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                • Instruction ID: 4f8fba44abeb9325a867333fa181800754c2ae6294f51994a6547da229821ebb
                                                                                                                                                                • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                • Instruction Fuzzy Hash: AE41157180C3856EFB3E9A6CD88A7A63FA4DB02318F9801E6D1C297193DBB44980A711
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 01BAB9D9
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 01BABA3A
                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 01BABA94
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 01BABB79
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 01BABB99
                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 01BABE15
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 01BABEB4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 1869671989-2903620461
                                                                                                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                • Instruction ID: afa0547b371741be9d5d3903b34201da053b6411a3563b1678aac9998f8c808a
                                                                                                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                • Instruction Fuzzy Hash: 7F318D71408248EFDF29DFA8DD84AED7BB8EB48700FA0459AFA2492161DB35D685CF50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 01BA70BC
                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 01BA70F4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                • String ID: |
                                                                                                                                                                • API String ID: 2370142434-2343686810
                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction ID: c5c1ab7675ed70dbd045831a7394acb45e84347f45df87013a7f5f9d0697f274
                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction Fuzzy Hash: B4112A72908118EBDB15CBD5DC84ADEBBFEEB04311F5441B6E601E6090DB75AB888BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2777991786-1857712256
                                                                                                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1670084259.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 01BA2F88: GetModuleHandleA.KERNEL32(?), ref: 01BA2FA1
                                                                                                                                                                  • Part of subcall function 01BA2F88: LoadLibraryA.KERNEL32(?), ref: 01BA2FB1
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01BA31DA
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 01BA31E1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_1ba0000_OgcktrbHkI.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                • Instruction ID: d3e3a4eba048e0db04bf9e4cad878aa97d9f5469a91e8decbb2cf3a060a5f8a5
                                                                                                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                • Instruction Fuzzy Hash: 2351A131908206AFCF1ADF68D8849F9B7B5FF05304F5445A9EC96C7221E772DA19CB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:2.9%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:2%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:1562
                                                                                                                                                                Total number of Limit Nodes:14
                                                                                                                                                                execution_graph 14814 409961 RegisterServiceCtrlHandlerA 14815 40997d 14814->14815 14822 4099cb 14814->14822 14824 409892 14815->14824 14817 40999a 14818 4099ba 14817->14818 14819 409892 SetServiceStatus 14817->14819 14821 409892 SetServiceStatus 14818->14821 14818->14822 14820 4099aa 14819->14820 14820->14818 14827 4098f2 14820->14827 14821->14822 14825 4098c2 SetServiceStatus 14824->14825 14825->14817 14828 4098f6 14827->14828 14830 409904 Sleep 14828->14830 14832 409917 14828->14832 14835 404280 CreateEventA 14828->14835 14830->14828 14831 409915 14830->14831 14831->14832 14834 409947 14832->14834 14862 40977c 14832->14862 14834->14818 14836 4042a5 14835->14836 14837 40429d 14835->14837 14876 403ecd 14836->14876 14837->14828 14839 4042b0 14880 404000 14839->14880 14842 4043c1 FindCloseChangeNotification 14842->14837 14843 4042ce 14886 403f18 WriteFile 14843->14886 14848 4043ba CloseHandle 14848->14842 14849 404318 14850 403f18 4 API calls 14849->14850 14851 404331 14850->14851 14852 403f18 4 API calls 14851->14852 14853 40434a 14852->14853 14894 40ebcc GetProcessHeap HeapAlloc 14853->14894 14856 403f18 4 API calls 14857 404389 14856->14857 14897 40ec2e 14857->14897 14860 403f8c 4 API calls 14861 40439f CloseHandle CloseHandle 14860->14861 14861->14837 14926 40ee2a 14862->14926 14865 4097c2 14867 4097d4 Wow64GetThreadContext 14865->14867 14866 4097bb 14866->14834 14868 409801 14867->14868 14869 4097f5 14867->14869 14928 40637c 14868->14928 14870 4097f6 TerminateProcess 14869->14870 14870->14866 14872 409816 14872->14870 14873 40981e WriteProcessMemory 14872->14873 14873->14869 14874 40983b Wow64SetThreadContext 14873->14874 14874->14869 14875 409858 ResumeThread 14874->14875 14875->14866 14877 403ee2 14876->14877 14878 403edc 14876->14878 14877->14839 14902 406dc2 14878->14902 14881 40400b CreateFileA 14880->14881 14882 404052 14881->14882 14883 40402c GetLastError 14881->14883 14882->14837 14882->14842 14882->14843 14883->14882 14884 404037 14883->14884 14884->14882 14885 404041 Sleep 14884->14885 14885->14881 14885->14882 14887 403f4e GetLastError 14886->14887 14889 403f7c 14886->14889 14888 403f5b WaitForSingleObject GetOverlappedResult 14887->14888 14887->14889 14888->14889 14890 403f8c ReadFile 14889->14890 14891 403fc2 GetLastError 14890->14891 14892 403ff0 14890->14892 14891->14892 14893 403fcf WaitForSingleObject GetOverlappedResult 14891->14893 14892->14848 14892->14849 14893->14892 14920 40eb74 14894->14920 14898 40ec37 14897->14898 14899 40438f 14897->14899 14923 40eba0 14898->14923 14899->14860 14903 406e24 14902->14903 14904 406dd7 14902->14904 14903->14877 14908 406cc9 14904->14908 14906 406ddc 14906->14903 14906->14906 14907 406e02 GetVolumeInformationA 14906->14907 14907->14903 14909 406cdc GetModuleHandleA GetProcAddress 14908->14909 14910 406dbe 14908->14910 14911 406d12 GetSystemDirectoryA 14909->14911 14912 406cfd 14909->14912 14910->14906 14913 406d27 GetWindowsDirectoryA 14911->14913 14914 406d1e 14911->14914 14912->14911 14917 406d8b 14912->14917 14915 406d42 14913->14915 14914->14913 14914->14917 14918 40ef1e lstrlenA 14915->14918 14917->14910 14919 40ef32 14918->14919 14919->14917 14921 40eb7b GetProcessHeap HeapSize 14920->14921 14922 404350 14920->14922 14921->14922 14922->14856 14924 40eba7 GetProcessHeap HeapSize 14923->14924 14925 40ebbf GetProcessHeap HeapFree 14923->14925 14924->14925 14925->14899 14927 409794 CreateProcessA 14926->14927 14927->14865 14927->14866 14929 406386 14928->14929 14930 40638a GetModuleHandleA VirtualAlloc 14928->14930 14929->14872 14931 4063b6 14930->14931 14935 4063f5 14930->14935 14932 4063be VirtualAllocEx 14931->14932 14933 4063d6 14932->14933 14932->14935 14934 4063df WriteProcessMemory 14933->14934 14934->14935 14935->14872 14979 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15096 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14979->15096 14981 409a95 14982 409aa3 GetModuleHandleA GetModuleFileNameA 14981->14982 14987 40a3c7 14981->14987 14995 409ac4 14982->14995 14983 40a41c CreateThread WSAStartup 15207 40e52e 14983->15207 16034 40405e CreateEventA 14983->16034 14984 409afd GetCommandLineA 14996 409b22 14984->14996 14985 40a406 DeleteFileA 14985->14987 14988 40a40d 14985->14988 14987->14983 14987->14985 14987->14988 14991 40a3ed GetLastError 14987->14991 14988->14983 14989 40a445 15226 40eaaf 14989->15226 14991->14988 14993 40a3f8 Sleep 14991->14993 14992 40a44d 15230 401d96 14992->15230 14993->14985 14995->14984 14999 409c0c 14996->14999 15006 409b47 14996->15006 14997 40a457 15278 4080c9 14997->15278 15097 4096aa 14999->15097 15010 409b96 lstrlenA 15006->15010 15013 409b58 15006->15013 15007 40a1d2 15014 40a1e3 GetCommandLineA 15007->15014 15008 409c39 15011 40a167 GetModuleHandleA GetModuleFileNameA 15008->15011 15017 409c4b 15008->15017 15010->15013 15012 409c05 ExitProcess 15011->15012 15016 40a189 15011->15016 15013->15012 15019 409bd2 15013->15019 15041 40a205 15014->15041 15016->15012 15024 40a1b2 GetDriveTypeA 15016->15024 15017->15011 15018 404280 30 API calls 15017->15018 15021 409c5b 15018->15021 15109 40675c 15019->15109 15021->15011 15028 40675c 21 API calls 15021->15028 15024->15012 15027 40a1c5 15024->15027 15199 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15027->15199 15030 409c79 15028->15030 15030->15011 15037 409ca0 GetTempPathA 15030->15037 15038 409e3e 15030->15038 15031 409bff 15031->15012 15033 40a491 15034 40a49f GetTickCount 15033->15034 15035 40a4be Sleep 15033->15035 15040 40a4b7 GetTickCount 15033->15040 15324 40c913 15033->15324 15034->15033 15034->15035 15035->15033 15037->15038 15039 409cba 15037->15039 15044 409e6b GetEnvironmentVariableA 15038->15044 15048 409e04 15038->15048 15147 4099d2 lstrcpyA 15039->15147 15040->15035 15045 40a285 lstrlenA 15041->15045 15057 40a239 15041->15057 15042 40ec2e codecvt 4 API calls 15046 40a15d 15042->15046 15044->15048 15049 409e7d 15044->15049 15045->15057 15046->15011 15046->15012 15048->15042 15050 4099d2 16 API calls 15049->15050 15051 409e9d 15050->15051 15051->15048 15056 409eb0 lstrcpyA lstrlenA 15051->15056 15052 406dc2 6 API calls 15054 409d5f 15052->15054 15060 406cc9 5 API calls 15054->15060 15055 40a3c2 15058 4098f2 41 API calls 15055->15058 15059 409ef4 15056->15059 15105 406ec3 15057->15105 15058->14987 15061 406dc2 6 API calls 15059->15061 15065 409f03 15059->15065 15063 409d72 lstrcpyA lstrcatA lstrcatA 15060->15063 15061->15065 15062 40a39d StartServiceCtrlDispatcherA 15062->15055 15064 409cf6 15063->15064 15154 409326 15064->15154 15066 409f32 RegOpenKeyExA 15065->15066 15067 409f48 RegSetValueExA RegCloseKey 15066->15067 15071 409f70 15066->15071 15067->15071 15068 40a35f 15068->15055 15068->15062 15076 409f9d GetModuleHandleA GetModuleFileNameA 15071->15076 15072 409e0c DeleteFileA 15072->15038 15073 409dde GetFileAttributesExA 15073->15072 15074 409df7 15073->15074 15074->15048 15191 4096ff 15074->15191 15078 409fc2 15076->15078 15079 40a093 15076->15079 15078->15079 15085 409ff1 GetDriveTypeA 15078->15085 15080 40a103 CreateProcessA 15079->15080 15083 40a0a4 wsprintfA 15079->15083 15081 40a13a 15080->15081 15082 40a12a DeleteFileA 15080->15082 15081->15048 15088 4096ff 3 API calls 15081->15088 15082->15081 15197 402544 15083->15197 15085->15079 15087 40a00d 15085->15087 15090 40a02d lstrcatA 15087->15090 15088->15048 15089 40ee2a 15091 40a0ec lstrcatA 15089->15091 15092 40a046 15090->15092 15091->15080 15093 40a052 lstrcatA 15092->15093 15094 40a064 lstrcatA 15092->15094 15093->15094 15094->15079 15095 40a081 lstrcatA 15094->15095 15095->15079 15096->14981 15098 4096b9 15097->15098 15427 4073ff 15098->15427 15100 4096e2 15101 4096e9 15100->15101 15102 4096fa 15100->15102 15447 40704c 15101->15447 15102->15007 15102->15008 15104 4096f7 15104->15102 15106 406ecc 15105->15106 15108 406ed5 15105->15108 15472 406e36 GetUserNameW 15106->15472 15108->15068 15110 406784 CreateFileA 15109->15110 15111 40677a SetFileAttributesA 15109->15111 15112 4067a4 CreateFileA 15110->15112 15113 4067b5 15110->15113 15111->15110 15112->15113 15114 4067c5 15113->15114 15115 4067ba SetFileAttributesA 15113->15115 15116 406977 15114->15116 15117 4067cf GetFileSize 15114->15117 15115->15114 15116->15012 15134 406a60 CreateFileA 15116->15134 15118 4067e5 15117->15118 15132 406922 15117->15132 15120 4067ed ReadFile 15118->15120 15118->15132 15119 40696e CloseHandle 15119->15116 15121 406811 SetFilePointer 15120->15121 15120->15132 15122 40682a ReadFile 15121->15122 15121->15132 15123 406848 SetFilePointer 15122->15123 15122->15132 15127 406867 15123->15127 15123->15132 15124 406878 ReadFile 15125 4068d0 15124->15125 15124->15127 15125->15119 15126 40ebcc 4 API calls 15125->15126 15128 4068f8 15126->15128 15127->15124 15127->15125 15129 406900 SetFilePointer 15128->15129 15128->15132 15130 40695a 15129->15130 15131 40690d ReadFile 15129->15131 15133 40ec2e codecvt 4 API calls 15130->15133 15131->15130 15131->15132 15132->15119 15133->15132 15135 406b8c GetLastError 15134->15135 15136 406a8f GetDiskFreeSpaceA 15134->15136 15144 406b86 15135->15144 15137 406ac5 15136->15137 15146 406ad7 15136->15146 15475 40eb0e 15137->15475 15141 406b56 CloseHandle 15143 406b65 GetLastError CloseHandle 15141->15143 15141->15144 15142 406b36 GetLastError CloseHandle 15145 406b7f DeleteFileA 15142->15145 15143->15145 15144->15031 15145->15144 15479 406987 15146->15479 15148 4099eb 15147->15148 15149 409a2f lstrcatA 15148->15149 15150 40ee2a 15149->15150 15151 409a4b lstrcatA 15150->15151 15152 406a60 13 API calls 15151->15152 15153 409a60 15152->15153 15153->15038 15153->15052 15153->15064 15489 401910 15154->15489 15157 40934a GetModuleHandleA GetModuleFileNameA 15159 40937f 15157->15159 15160 4093a4 15159->15160 15161 4093d9 15159->15161 15162 4093c3 wsprintfA 15160->15162 15163 409401 wsprintfA 15161->15163 15165 409415 15162->15165 15163->15165 15164 4094a0 15491 406edd 15164->15491 15165->15164 15168 406cc9 5 API calls 15165->15168 15167 4094ac 15169 40962f 15167->15169 15170 4094e8 RegOpenKeyExA 15167->15170 15174 409439 15168->15174 15175 409646 15169->15175 15512 401820 15169->15512 15172 409502 15170->15172 15173 4094fb 15170->15173 15177 40951f RegQueryValueExA 15172->15177 15173->15169 15179 40958a 15173->15179 15178 40ef1e lstrlenA 15174->15178 15184 4095d6 15175->15184 15518 4091eb 15175->15518 15181 409530 15177->15181 15182 409539 15177->15182 15183 409462 15178->15183 15179->15175 15180 409593 15179->15180 15180->15184 15499 40f0e4 15180->15499 15185 40956e RegCloseKey 15181->15185 15186 409556 RegQueryValueExA 15182->15186 15187 40947e wsprintfA 15183->15187 15184->15072 15184->15073 15185->15173 15186->15181 15186->15185 15187->15164 15189 4095bb 15189->15184 15506 4018e0 15189->15506 15192 402544 15191->15192 15193 40972d RegOpenKeyExA 15192->15193 15194 409740 15193->15194 15195 409765 15193->15195 15196 40974f RegDeleteValueA RegCloseKey 15194->15196 15195->15048 15196->15195 15198 402554 lstrcatA 15197->15198 15198->15089 15200 402544 15199->15200 15201 40919e wsprintfA 15200->15201 15202 4091bb 15201->15202 15556 409064 GetTempPathA 15202->15556 15205 4091d5 ShellExecuteA 15206 4091e7 15205->15206 15206->15031 15563 40dd05 GetTickCount 15207->15563 15209 40e538 15570 40dbcf 15209->15570 15211 40e544 15212 40e555 GetFileSize 15211->15212 15216 40e5b8 15211->15216 15213 40e5b1 CloseHandle 15212->15213 15214 40e566 15212->15214 15213->15216 15580 40db2e 15214->15580 15589 40e3ca RegOpenKeyExA 15216->15589 15218 40e576 ReadFile 15218->15213 15220 40e58d 15218->15220 15584 40e332 15220->15584 15223 40e629 15223->14989 15224 40e5f2 15224->15223 15225 40e3ca 19 API calls 15224->15225 15225->15223 15227 40eabe 15226->15227 15229 40eaba 15226->15229 15228 40dd05 6 API calls 15227->15228 15227->15229 15228->15229 15229->14992 15231 40ee2a 15230->15231 15232 401db4 GetVersionExA 15231->15232 15233 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15232->15233 15235 401e24 15233->15235 15236 401e16 GetCurrentProcess 15233->15236 15642 40e819 15235->15642 15236->15235 15238 401e3d 15239 40e819 11 API calls 15238->15239 15240 401e4e 15239->15240 15241 401e77 15240->15241 15649 40df70 15240->15649 15658 40ea84 15241->15658 15244 401e6c 15246 40df70 12 API calls 15244->15246 15246->15241 15247 40e819 11 API calls 15248 401e93 15247->15248 15662 40199c inet_addr LoadLibraryA 15248->15662 15251 40e819 11 API calls 15252 401eb9 15251->15252 15253 401ed8 15252->15253 15254 40f04e 4 API calls 15252->15254 15255 40e819 11 API calls 15253->15255 15256 401ec9 15254->15256 15257 401eee 15255->15257 15258 40ea84 30 API calls 15256->15258 15259 401f0a 15257->15259 15675 401b71 15257->15675 15258->15253 15261 40e819 11 API calls 15259->15261 15263 401f23 15261->15263 15262 401efd 15264 40ea84 30 API calls 15262->15264 15265 401f3f 15263->15265 15679 401bdf 15263->15679 15264->15259 15267 40e819 11 API calls 15265->15267 15269 401f5e 15267->15269 15271 401f77 15269->15271 15272 40ea84 30 API calls 15269->15272 15270 40ea84 30 API calls 15270->15265 15686 4030b5 15271->15686 15272->15271 15275 406ec3 2 API calls 15277 401f8e GetTickCount 15275->15277 15277->14997 15279 406ec3 2 API calls 15278->15279 15280 4080eb 15279->15280 15281 4080f9 15280->15281 15282 4080ef 15280->15282 15284 40704c 16 API calls 15281->15284 15734 407ee6 15282->15734 15285 408110 15284->15285 15286 4080f4 15285->15286 15288 408156 RegOpenKeyExA 15285->15288 15287 40675c 21 API calls 15286->15287 15296 408269 CreateThread 15286->15296 15290 408244 15287->15290 15288->15286 15289 40816d RegQueryValueExA 15288->15289 15291 4081f7 15289->15291 15293 40818d 15289->15293 15294 40ec2e codecvt 4 API calls 15290->15294 15290->15296 15292 40820d RegCloseKey 15291->15292 15295 40ec2e codecvt 4 API calls 15291->15295 15292->15286 15293->15291 15297 40ebcc 4 API calls 15293->15297 15294->15296 15302 4081dd 15295->15302 15303 405e6c 15296->15303 16063 40877e 15296->16063 15298 4081a0 15297->15298 15298->15292 15299 4081aa RegQueryValueExA 15298->15299 15299->15291 15300 4081c4 15299->15300 15301 40ebcc 4 API calls 15300->15301 15301->15302 15302->15292 15802 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15303->15802 15305 405e71 15803 40e654 15305->15803 15307 405ec1 15308 403132 15307->15308 15309 40df70 12 API calls 15308->15309 15310 40313b 15309->15310 15311 40c125 15310->15311 15814 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15311->15814 15313 40c12d 15314 40e654 13 API calls 15313->15314 15315 40c2bd 15314->15315 15316 40e654 13 API calls 15315->15316 15317 40c2c9 15316->15317 15318 40e654 13 API calls 15317->15318 15319 40a47a 15318->15319 15320 408db1 15319->15320 15321 408dbc 15320->15321 15322 40e654 13 API calls 15321->15322 15323 408dec Sleep 15322->15323 15323->15033 15325 40c92f 15324->15325 15326 40c93c 15325->15326 15815 40c517 15325->15815 15328 40ca2b 15326->15328 15329 40e819 11 API calls 15326->15329 15328->15033 15330 40c96a 15329->15330 15331 40e819 11 API calls 15330->15331 15332 40c97d 15331->15332 15333 40e819 11 API calls 15332->15333 15334 40c990 15333->15334 15335 40c9aa 15334->15335 15336 40ebcc 4 API calls 15334->15336 15335->15328 15832 402684 15335->15832 15336->15335 15341 40ca26 15839 40c8aa 15341->15839 15344 40ca44 15345 40ca4b closesocket 15344->15345 15346 40ca83 15344->15346 15345->15341 15347 40ea84 30 API calls 15346->15347 15348 40caac 15347->15348 15349 40f04e 4 API calls 15348->15349 15350 40cab2 15349->15350 15351 40ea84 30 API calls 15350->15351 15352 40caca 15351->15352 15353 40ea84 30 API calls 15352->15353 15354 40cad9 15353->15354 15847 40c65c 15354->15847 15357 40cb60 closesocket 15357->15328 15359 40dad2 closesocket 15360 40e318 23 API calls 15359->15360 15360->15328 15361 40df4c 20 API calls 15421 40cb70 15361->15421 15366 40e654 13 API calls 15366->15421 15372 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15372->15421 15373 40ea84 30 API calls 15373->15421 15374 40cc1c GetTempPathA 15374->15421 15375 40d569 closesocket Sleep 15894 40e318 15375->15894 15376 40d815 wsprintfA 15376->15421 15377 40c517 23 API calls 15377->15421 15379 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15379->15421 15380 40e8a1 30 API calls 15380->15421 15381 40d582 ExitProcess 15382 40cfe3 GetSystemDirectoryA 15382->15421 15383 40cfad GetEnvironmentVariableA 15383->15421 15384 40675c 21 API calls 15384->15421 15385 40d027 GetSystemDirectoryA 15385->15421 15386 40d105 lstrcatA 15386->15421 15387 40ef1e lstrlenA 15387->15421 15388 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15388->15421 15389 40cc9f CreateFileA 15390 40ccc6 WriteFile 15389->15390 15389->15421 15393 40cdcc CloseHandle 15390->15393 15394 40cced CloseHandle 15390->15394 15391 40d15b CreateFileA 15392 40d182 WriteFile CloseHandle 15391->15392 15391->15421 15392->15421 15393->15421 15400 40cd2f 15394->15400 15395 40d149 SetFileAttributesA 15395->15391 15396 40cd16 wsprintfA 15396->15400 15397 40d36e GetEnvironmentVariableA 15397->15421 15398 40d1bf SetFileAttributesA 15398->15421 15399 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15399->15421 15400->15396 15876 407fcf 15400->15876 15401 407ead 6 API calls 15401->15421 15402 40d22d GetEnvironmentVariableA 15402->15421 15403 40d3af lstrcatA 15406 40d3f2 CreateFileA 15403->15406 15403->15421 15405 407fcf 64 API calls 15405->15421 15408 40d415 WriteFile CloseHandle 15406->15408 15406->15421 15408->15421 15409 40cd81 WaitForSingleObject CloseHandle CloseHandle 15412 40f04e 4 API calls 15409->15412 15410 40cda5 15411 407ee6 64 API calls 15410->15411 15413 40cdbd DeleteFileA 15411->15413 15412->15410 15413->15421 15414 40d4b1 CreateProcessA 15417 40d4e8 CloseHandle CloseHandle 15414->15417 15414->15421 15415 40d3e0 SetFileAttributesA 15415->15406 15416 40d26e lstrcatA 15418 40d2b1 CreateFileA 15416->15418 15416->15421 15417->15421 15418->15421 15422 40d2d8 WriteFile CloseHandle 15418->15422 15419 407ee6 64 API calls 15419->15421 15420 40d452 SetFileAttributesA 15420->15421 15421->15359 15421->15361 15421->15366 15421->15372 15421->15373 15421->15374 15421->15375 15421->15376 15421->15377 15421->15379 15421->15380 15421->15382 15421->15383 15421->15384 15421->15385 15421->15386 15421->15387 15421->15388 15421->15389 15421->15391 15421->15395 15421->15397 15421->15398 15421->15399 15421->15401 15421->15402 15421->15403 15421->15405 15421->15406 15421->15414 15421->15415 15421->15416 15421->15418 15421->15419 15421->15420 15424 40d29f SetFileAttributesA 15421->15424 15426 40d31d SetFileAttributesA 15421->15426 15855 40c75d 15421->15855 15867 407e2f 15421->15867 15889 407ead 15421->15889 15899 4031d0 15421->15899 15916 403c09 15421->15916 15926 403a00 15421->15926 15930 40e7b4 15421->15930 15933 40c06c 15421->15933 15939 406f5f GetUserNameA 15421->15939 15950 40e854 15421->15950 15960 407dd6 15421->15960 15422->15421 15424->15418 15426->15421 15428 40741b 15427->15428 15429 406dc2 6 API calls 15428->15429 15430 40743f 15429->15430 15431 407469 RegOpenKeyExA 15430->15431 15434 4077f9 15431->15434 15442 407487 ___ascii_stricmp 15431->15442 15432 407703 RegEnumKeyA 15433 407714 RegCloseKey 15432->15433 15432->15442 15433->15434 15434->15100 15435 4074d2 RegOpenKeyExA 15435->15442 15436 40772c 15438 407742 RegCloseKey 15436->15438 15439 40774b 15436->15439 15437 407521 RegQueryValueExA 15437->15442 15438->15439 15440 4077ec RegCloseKey 15439->15440 15440->15434 15441 4076e4 RegCloseKey 15441->15442 15442->15432 15442->15435 15442->15436 15442->15437 15442->15441 15444 40f1a5 lstrlenA 15442->15444 15445 40777e GetFileAttributesExA 15442->15445 15446 407769 15442->15446 15443 4077e3 RegCloseKey 15443->15440 15444->15442 15445->15446 15446->15443 15448 407073 15447->15448 15449 4070b9 RegOpenKeyExA 15448->15449 15450 4070d0 15449->15450 15464 4071b8 15449->15464 15451 406dc2 6 API calls 15450->15451 15454 4070d5 15451->15454 15452 40719b RegEnumValueA 15453 4071af RegCloseKey 15452->15453 15452->15454 15453->15464 15454->15452 15456 4071d0 15454->15456 15470 40f1a5 lstrlenA 15454->15470 15457 407205 RegCloseKey 15456->15457 15458 407227 15456->15458 15457->15464 15459 4072b8 ___ascii_stricmp 15458->15459 15460 40728e RegCloseKey 15458->15460 15461 4072cd RegCloseKey 15459->15461 15462 4072dd 15459->15462 15460->15464 15461->15464 15463 407311 RegCloseKey 15462->15463 15466 407335 15462->15466 15463->15464 15464->15104 15465 4073d5 RegCloseKey 15467 4073e4 15465->15467 15466->15465 15468 40737e GetFileAttributesExA 15466->15468 15469 407397 15466->15469 15468->15469 15469->15465 15471 40f1c3 15470->15471 15471->15454 15473 406e5f LookupAccountNameW 15472->15473 15474 406e97 15472->15474 15473->15474 15474->15108 15476 40eb17 15475->15476 15478 40eb21 15475->15478 15485 40eae4 15476->15485 15478->15146 15481 4069b9 WriteFile 15479->15481 15482 406a3c 15481->15482 15484 4069ff 15481->15484 15482->15141 15482->15142 15483 406a10 WriteFile 15483->15482 15483->15484 15484->15482 15484->15483 15486 40eb02 GetProcAddress 15485->15486 15487 40eaed LoadLibraryA 15485->15487 15486->15478 15487->15486 15488 40eb01 15487->15488 15488->15478 15490 401924 GetVersionExA 15489->15490 15490->15157 15492 406f55 15491->15492 15493 406eef AllocateAndInitializeSid 15491->15493 15492->15167 15494 406f44 15493->15494 15495 406f1c CheckTokenMembership 15493->15495 15494->15492 15498 406e36 2 API calls 15494->15498 15496 406f3b FreeSid 15495->15496 15497 406f2e 15495->15497 15496->15494 15497->15496 15498->15492 15500 40f0f1 15499->15500 15501 40f0ed 15499->15501 15502 40f119 15500->15502 15503 40f0fa lstrlenA SysAllocStringByteLen 15500->15503 15501->15189 15504 40f11c MultiByteToWideChar 15502->15504 15503->15504 15505 40f117 15503->15505 15504->15505 15505->15189 15507 401820 17 API calls 15506->15507 15508 4018f2 15507->15508 15509 4018f9 15508->15509 15523 401280 15508->15523 15509->15184 15511 401908 15511->15184 15535 401000 15512->15535 15514 401839 15515 401851 GetCurrentProcess 15514->15515 15516 40183d 15514->15516 15517 401864 15515->15517 15516->15175 15517->15175 15519 409308 15518->15519 15521 40920e 15518->15521 15519->15184 15520 4092f1 Sleep 15520->15521 15521->15519 15521->15520 15522 4092bf ShellExecuteA 15521->15522 15522->15519 15522->15521 15524 4012e1 15523->15524 15524->15524 15525 4016f9 GetLastError 15524->15525 15532 4013a8 15524->15532 15526 401699 15525->15526 15526->15511 15527 401570 lstrlenW 15527->15532 15528 4015be GetStartupInfoW 15528->15532 15529 4015ff CreateProcessWithLogonW 15530 4016bf GetLastError 15529->15530 15531 40163f WaitForSingleObject 15529->15531 15530->15526 15531->15532 15533 401659 CloseHandle 15531->15533 15532->15526 15532->15527 15532->15528 15532->15529 15534 401668 CloseHandle 15532->15534 15533->15532 15534->15532 15536 40100d LoadLibraryA 15535->15536 15550 401023 15535->15550 15537 401021 15536->15537 15536->15550 15537->15514 15538 4010b5 GetProcAddress 15539 4010d1 GetProcAddress 15538->15539 15540 40127b 15538->15540 15539->15540 15541 4010f0 GetProcAddress 15539->15541 15540->15514 15541->15540 15542 401110 GetProcAddress 15541->15542 15542->15540 15543 401130 GetProcAddress 15542->15543 15543->15540 15544 40114f GetProcAddress 15543->15544 15544->15540 15545 40116f GetProcAddress 15544->15545 15545->15540 15546 40118f GetProcAddress 15545->15546 15546->15540 15547 4011ae GetProcAddress 15546->15547 15547->15540 15548 4011ce GetProcAddress 15547->15548 15548->15540 15549 4011ee GetProcAddress 15548->15549 15549->15540 15551 401209 GetProcAddress 15549->15551 15550->15538 15555 4010ae 15550->15555 15551->15540 15552 401225 GetProcAddress 15551->15552 15552->15540 15553 401241 GetProcAddress 15552->15553 15553->15540 15554 40125c GetProcAddress 15553->15554 15554->15540 15555->15514 15557 40908d 15556->15557 15558 4090e2 wsprintfA 15557->15558 15559 40ee2a 15558->15559 15560 4090fd CreateFileA 15559->15560 15561 40911a lstrlenA WriteFile CloseHandle 15560->15561 15562 40913f 15560->15562 15561->15562 15562->15205 15562->15206 15564 40dd41 InterlockedExchange 15563->15564 15565 40dd20 GetCurrentThreadId 15564->15565 15569 40dd4a 15564->15569 15566 40dd53 GetCurrentThreadId 15565->15566 15567 40dd2e GetTickCount 15565->15567 15566->15209 15568 40dd39 Sleep 15567->15568 15567->15569 15568->15564 15569->15566 15571 40dbf0 15570->15571 15603 40db67 GetEnvironmentVariableA 15571->15603 15573 40dc19 15574 40dcda 15573->15574 15575 40db67 3 API calls 15573->15575 15574->15211 15576 40dc5c 15575->15576 15576->15574 15577 40db67 3 API calls 15576->15577 15578 40dc9b 15577->15578 15578->15574 15579 40db67 3 API calls 15578->15579 15579->15574 15581 40db55 15580->15581 15582 40db3a 15580->15582 15581->15213 15581->15218 15607 40ebed 15582->15607 15616 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15584->15616 15586 40e3be 15586->15213 15587 40e342 15587->15586 15619 40de24 15587->15619 15590 40e528 15589->15590 15591 40e3f4 15589->15591 15590->15224 15592 40e434 RegQueryValueExA 15591->15592 15593 40e458 15592->15593 15594 40e51d RegCloseKey 15592->15594 15595 40e46e RegQueryValueExA 15593->15595 15594->15590 15595->15593 15596 40e488 15595->15596 15596->15594 15597 40db2e 8 API calls 15596->15597 15598 40e499 15597->15598 15598->15594 15599 40e4b9 RegQueryValueExA 15598->15599 15600 40e4e8 15598->15600 15599->15598 15599->15600 15600->15594 15601 40e332 14 API calls 15600->15601 15602 40e513 15601->15602 15602->15594 15604 40dbca 15603->15604 15606 40db89 lstrcpyA CreateFileA 15603->15606 15604->15573 15606->15573 15608 40ec01 15607->15608 15609 40ebf6 15607->15609 15610 40eba0 codecvt 2 API calls 15608->15610 15611 40ebcc 4 API calls 15609->15611 15612 40ec0a GetProcessHeap HeapReAlloc 15610->15612 15613 40ebfe 15611->15613 15614 40eb74 2 API calls 15612->15614 15613->15581 15615 40ec28 15614->15615 15615->15581 15630 40eb41 15616->15630 15620 40de3a 15619->15620 15625 40de4e 15620->15625 15634 40dd84 15620->15634 15623 40de9e 15624 40ebed 8 API calls 15623->15624 15623->15625 15628 40def6 15624->15628 15625->15587 15626 40de76 15638 40ddcf 15626->15638 15628->15625 15629 40ddcf lstrcmpA 15628->15629 15629->15625 15631 40eb54 15630->15631 15632 40eb4a 15630->15632 15631->15587 15633 40eae4 2 API calls 15632->15633 15633->15631 15635 40ddc5 15634->15635 15636 40dd96 15634->15636 15635->15623 15635->15626 15636->15635 15637 40ddad lstrcmpiA 15636->15637 15637->15635 15637->15636 15639 40dddd 15638->15639 15641 40de20 15638->15641 15640 40ddfa lstrcmpA 15639->15640 15639->15641 15640->15639 15641->15625 15643 40dd05 6 API calls 15642->15643 15644 40e821 15643->15644 15645 40dd84 lstrcmpiA 15644->15645 15646 40e82c 15645->15646 15647 40e844 15646->15647 15690 402480 15646->15690 15647->15238 15650 40dd05 6 API calls 15649->15650 15651 40df7c 15650->15651 15652 40dd84 lstrcmpiA 15651->15652 15656 40df89 15652->15656 15653 40dfc4 15653->15244 15654 40ddcf lstrcmpA 15654->15656 15655 40ec2e codecvt 4 API calls 15655->15656 15656->15653 15656->15654 15656->15655 15657 40dd84 lstrcmpiA 15656->15657 15657->15656 15659 40ea98 15658->15659 15699 40e8a1 15659->15699 15661 401e84 15661->15247 15663 4019d5 GetProcAddress GetProcAddress GetProcAddress 15662->15663 15664 4019ce 15662->15664 15665 401ab3 FreeLibrary 15663->15665 15666 401a04 15663->15666 15664->15251 15665->15664 15666->15665 15667 401a14 GetProcessHeap 15666->15667 15667->15664 15669 401a2e HeapAlloc 15667->15669 15669->15664 15670 401a42 15669->15670 15671 401a52 HeapReAlloc 15670->15671 15673 401a62 15670->15673 15671->15673 15672 401aa1 FreeLibrary 15672->15664 15673->15672 15674 401a96 HeapFree 15673->15674 15674->15672 15727 401ac3 LoadLibraryA 15675->15727 15678 401bcf 15678->15262 15680 401ac3 12 API calls 15679->15680 15681 401c09 15680->15681 15682 401c0d GetComputerNameA 15681->15682 15685 401c41 15681->15685 15683 401c45 GetVolumeInformationA 15682->15683 15684 401c1f 15682->15684 15683->15685 15684->15683 15684->15685 15685->15270 15687 40ee2a 15686->15687 15688 4030d0 gethostname gethostbyname 15687->15688 15689 401f82 15688->15689 15689->15275 15689->15277 15693 402419 lstrlenA 15690->15693 15692 402491 15692->15647 15694 402474 15693->15694 15695 40243d lstrlenA 15693->15695 15694->15692 15696 402464 lstrlenA 15695->15696 15697 40244e lstrcmpiA 15695->15697 15696->15694 15696->15695 15697->15696 15698 40245c 15697->15698 15698->15694 15698->15696 15700 40dd05 6 API calls 15699->15700 15701 40e8b4 15700->15701 15702 40dd84 lstrcmpiA 15701->15702 15703 40e8c0 15702->15703 15704 40e90a 15703->15704 15705 40e8c8 lstrcpynA 15703->15705 15706 402419 4 API calls 15704->15706 15715 40ea27 15704->15715 15707 40e8f5 15705->15707 15708 40e926 lstrlenA lstrlenA 15706->15708 15720 40df4c 15707->15720 15710 40e96a 15708->15710 15711 40e94c lstrlenA 15708->15711 15714 40ebcc 4 API calls 15710->15714 15710->15715 15711->15710 15712 40e901 15713 40dd84 lstrcmpiA 15712->15713 15713->15704 15716 40e98f 15714->15716 15715->15661 15716->15715 15717 40df4c 20 API calls 15716->15717 15718 40ea1e 15717->15718 15719 40ec2e codecvt 4 API calls 15718->15719 15719->15715 15721 40dd05 6 API calls 15720->15721 15722 40df51 15721->15722 15723 40f04e 4 API calls 15722->15723 15724 40df58 15723->15724 15725 40de24 10 API calls 15724->15725 15726 40df63 15725->15726 15726->15712 15728 401ae2 GetProcAddress 15727->15728 15731 401b68 GetComputerNameA GetVolumeInformationA 15727->15731 15729 401af5 15728->15729 15728->15731 15730 40ebed 8 API calls 15729->15730 15733 401b29 15729->15733 15730->15729 15731->15678 15732 40ec2e codecvt 4 API calls 15732->15731 15733->15731 15733->15732 15733->15733 15735 406ec3 2 API calls 15734->15735 15736 407ef4 15735->15736 15737 407fc9 15736->15737 15738 4073ff 17 API calls 15736->15738 15737->15286 15739 407f16 15738->15739 15739->15737 15747 407809 GetUserNameA 15739->15747 15741 407f63 15741->15737 15742 40ef1e lstrlenA 15741->15742 15743 407fa6 15742->15743 15744 40ef1e lstrlenA 15743->15744 15745 407fb7 15744->15745 15771 407a95 RegOpenKeyExA 15745->15771 15748 40783d LookupAccountNameA 15747->15748 15749 407a8d 15747->15749 15748->15749 15750 407874 GetLengthSid GetFileSecurityA 15748->15750 15749->15741 15750->15749 15751 4078a8 GetSecurityDescriptorOwner 15750->15751 15752 4078c5 EqualSid 15751->15752 15753 40791d GetSecurityDescriptorDacl 15751->15753 15752->15753 15754 4078dc LocalAlloc 15752->15754 15753->15749 15760 407941 15753->15760 15754->15753 15755 4078ef InitializeSecurityDescriptor 15754->15755 15756 407916 LocalFree 15755->15756 15757 4078fb SetSecurityDescriptorOwner 15755->15757 15756->15753 15757->15756 15759 40790b SetFileSecurityA 15757->15759 15758 40795b GetAce 15758->15760 15759->15756 15760->15749 15760->15758 15761 407980 EqualSid 15760->15761 15762 407a3d 15760->15762 15763 4079be EqualSid 15760->15763 15764 40799d DeleteAce 15760->15764 15761->15760 15762->15749 15765 407a43 LocalAlloc 15762->15765 15763->15760 15764->15760 15765->15749 15766 407a56 InitializeSecurityDescriptor 15765->15766 15767 407a62 SetSecurityDescriptorDacl 15766->15767 15768 407a86 LocalFree 15766->15768 15767->15768 15769 407a73 SetFileSecurityA 15767->15769 15768->15749 15769->15768 15770 407a83 15769->15770 15770->15768 15772 407ac4 15771->15772 15773 407acb GetUserNameA 15771->15773 15772->15737 15774 407da7 RegCloseKey 15773->15774 15775 407aed LookupAccountNameA 15773->15775 15774->15772 15775->15774 15776 407b24 RegGetKeySecurity 15775->15776 15776->15774 15777 407b49 GetSecurityDescriptorOwner 15776->15777 15778 407b63 EqualSid 15777->15778 15779 407bb8 GetSecurityDescriptorDacl 15777->15779 15778->15779 15780 407b74 LocalAlloc 15778->15780 15781 407da6 15779->15781 15788 407bdc 15779->15788 15780->15779 15782 407b8a InitializeSecurityDescriptor 15780->15782 15781->15774 15784 407bb1 LocalFree 15782->15784 15785 407b96 SetSecurityDescriptorOwner 15782->15785 15783 407bf8 GetAce 15783->15788 15784->15779 15785->15784 15786 407ba6 RegSetKeySecurity 15785->15786 15786->15784 15787 407c1d EqualSid 15787->15788 15788->15781 15788->15783 15788->15787 15789 407cd9 15788->15789 15790 407c5f EqualSid 15788->15790 15791 407c3a DeleteAce 15788->15791 15789->15781 15792 407d5a LocalAlloc 15789->15792 15793 407cf2 RegOpenKeyExA 15789->15793 15790->15788 15791->15788 15792->15781 15794 407d70 InitializeSecurityDescriptor 15792->15794 15793->15792 15799 407d0f 15793->15799 15795 407d7c SetSecurityDescriptorDacl 15794->15795 15796 407d9f LocalFree 15794->15796 15795->15796 15797 407d8c RegSetKeySecurity 15795->15797 15796->15781 15797->15796 15798 407d9c 15797->15798 15798->15796 15800 407d43 RegSetValueExA 15799->15800 15800->15792 15801 407d54 15800->15801 15801->15792 15802->15305 15804 40dd05 6 API calls 15803->15804 15807 40e65f 15804->15807 15805 40e6a5 15806 40ebcc 4 API calls 15805->15806 15812 40e6f5 15805->15812 15809 40e6b0 15806->15809 15807->15805 15808 40e68c lstrcmpA 15807->15808 15808->15807 15810 40e6b7 15809->15810 15811 40e6e0 lstrcpynA 15809->15811 15809->15812 15810->15307 15811->15812 15812->15810 15813 40e71d lstrcmpA 15812->15813 15813->15812 15814->15313 15816 40c525 15815->15816 15817 40c532 15815->15817 15816->15817 15819 40ec2e codecvt 4 API calls 15816->15819 15818 40c548 15817->15818 15967 40e7ff 15817->15967 15821 40e7ff lstrcmpiA 15818->15821 15829 40c54f 15818->15829 15819->15817 15822 40c615 15821->15822 15823 40ebcc 4 API calls 15822->15823 15822->15829 15823->15829 15824 40c5d1 15827 40ebcc 4 API calls 15824->15827 15826 40e819 11 API calls 15828 40c5b7 15826->15828 15827->15829 15830 40f04e 4 API calls 15828->15830 15829->15326 15831 40c5bf 15830->15831 15831->15818 15831->15824 15833 402692 inet_addr 15832->15833 15834 40268e 15832->15834 15833->15834 15835 40269e gethostbyname 15833->15835 15836 40f428 15834->15836 15835->15834 15970 40f315 15836->15970 15841 40c8d2 15839->15841 15840 40c907 15840->15328 15841->15840 15842 40c517 23 API calls 15841->15842 15842->15840 15843 40f43e 15844 40f473 recv 15843->15844 15845 40f458 15844->15845 15846 40f47c 15844->15846 15845->15844 15845->15846 15846->15344 15848 40c670 15847->15848 15849 40c67d 15847->15849 15850 40ebcc 4 API calls 15848->15850 15851 40ebcc 4 API calls 15849->15851 15852 40c699 15849->15852 15850->15849 15851->15852 15853 40c6f3 15852->15853 15854 40c73c send 15852->15854 15853->15357 15853->15421 15854->15853 15856 40c770 15855->15856 15857 40c77d 15855->15857 15858 40ebcc 4 API calls 15856->15858 15859 40c799 15857->15859 15860 40ebcc 4 API calls 15857->15860 15858->15857 15862 40ebcc 4 API calls 15859->15862 15863 40c7b5 15859->15863 15860->15859 15861 40f43e recv 15864 40c7cb 15861->15864 15862->15863 15863->15861 15865 40f43e recv 15864->15865 15866 40c7d3 15864->15866 15865->15866 15866->15421 15983 407db7 15867->15983 15870 40f04e 4 API calls 15872 407e4c 15870->15872 15871 40f04e 4 API calls 15873 407e96 15871->15873 15874 40f04e 4 API calls 15872->15874 15875 407e70 15872->15875 15873->15421 15874->15875 15875->15871 15875->15873 15877 406ec3 2 API calls 15876->15877 15878 407fdd 15877->15878 15879 4073ff 17 API calls 15878->15879 15888 4080c2 CreateProcessA 15878->15888 15880 407fff 15879->15880 15881 407809 21 API calls 15880->15881 15880->15888 15882 40804d 15881->15882 15883 40ef1e lstrlenA 15882->15883 15882->15888 15884 40809e 15883->15884 15885 40ef1e lstrlenA 15884->15885 15886 4080af 15885->15886 15887 407a95 24 API calls 15886->15887 15887->15888 15888->15409 15888->15410 15890 407db7 2 API calls 15889->15890 15891 407eb8 15890->15891 15892 40f04e 4 API calls 15891->15892 15893 407ece DeleteFileA 15892->15893 15893->15421 15895 40dd05 6 API calls 15894->15895 15896 40e31d 15895->15896 15987 40e177 15896->15987 15898 40e326 15898->15381 15900 4031f3 15899->15900 15910 4031ec 15899->15910 15901 40ebcc 4 API calls 15900->15901 15915 4031fc 15901->15915 15902 40344b 15903 403459 15902->15903 15904 40349d 15902->15904 15906 40f04e 4 API calls 15903->15906 15905 40ec2e codecvt 4 API calls 15904->15905 15905->15910 15907 40345f 15906->15907 15908 4030fa 4 API calls 15907->15908 15908->15910 15909 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15909->15915 15910->15421 15911 40344d 15912 40ec2e codecvt 4 API calls 15911->15912 15912->15902 15914 403141 lstrcmpiA 15914->15915 15915->15902 15915->15909 15915->15910 15915->15911 15915->15914 16013 4030fa GetTickCount 15915->16013 15917 4030fa 4 API calls 15916->15917 15918 403c1a 15917->15918 15919 403ce6 15918->15919 16018 403a72 15918->16018 15919->15421 15922 403a72 9 API calls 15924 403c5e 15922->15924 15923 403a72 9 API calls 15923->15924 15924->15919 15924->15923 15925 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15924->15925 15925->15924 15927 403a10 15926->15927 15928 4030fa 4 API calls 15927->15928 15929 403a1a 15928->15929 15929->15421 15931 40dd05 6 API calls 15930->15931 15932 40e7be 15931->15932 15932->15421 15934 40c105 15933->15934 15935 40c07e wsprintfA 15933->15935 15934->15421 16027 40bfce GetTickCount wsprintfA 15935->16027 15937 40c0ef 16028 40bfce GetTickCount wsprintfA 15937->16028 15940 406f88 LookupAccountNameA 15939->15940 15941 407047 15939->15941 15943 407025 15940->15943 15944 406fcb 15940->15944 15941->15421 15945 406edd 5 API calls 15943->15945 15946 406fdb ConvertSidToStringSidA 15944->15946 15947 40702a wsprintfA 15945->15947 15946->15943 15948 406ff1 15946->15948 15947->15941 15949 407013 LocalFree 15948->15949 15949->15943 15951 40dd05 6 API calls 15950->15951 15952 40e85c 15951->15952 15953 40dd84 lstrcmpiA 15952->15953 15955 40e867 15953->15955 15954 40e885 lstrcpyA 16032 40dd69 15954->16032 15955->15954 16029 4024a5 15955->16029 15961 407db7 2 API calls 15960->15961 15962 407de1 15961->15962 15963 407e16 15962->15963 15964 40f04e 4 API calls 15962->15964 15963->15421 15965 407df2 15964->15965 15965->15963 15966 40f04e 4 API calls 15965->15966 15966->15963 15968 40dd84 lstrcmpiA 15967->15968 15969 40c58e 15968->15969 15969->15818 15969->15824 15969->15826 15971 40f33b 15970->15971 15979 40ca1d 15970->15979 15972 40f347 htons socket 15971->15972 15973 40f382 ioctlsocket 15972->15973 15974 40f374 closesocket 15972->15974 15975 40f3aa connect select 15973->15975 15976 40f39d 15973->15976 15974->15979 15978 40f3f2 __WSAFDIsSet 15975->15978 15975->15979 15977 40f39f closesocket 15976->15977 15977->15979 15978->15977 15980 40f403 ioctlsocket 15978->15980 15979->15341 15979->15843 15982 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15980->15982 15982->15979 15984 407dc8 InterlockedExchange 15983->15984 15985 407dc0 Sleep 15984->15985 15986 407dd4 15984->15986 15985->15984 15986->15870 15986->15875 15988 40e184 15987->15988 15989 40e2e4 15988->15989 15990 40e223 15988->15990 16003 40dfe2 15988->16003 15989->15898 15990->15989 15992 40dfe2 8 API calls 15990->15992 15997 40e23c 15992->15997 15993 40e1be 15993->15990 15994 40dbcf 3 API calls 15993->15994 15996 40e1d6 15994->15996 15995 40e21a CloseHandle 15995->15990 15996->15990 15996->15995 15998 40e1f9 WriteFile 15996->15998 15997->15989 16007 40e095 RegCreateKeyExA 15997->16007 15998->15995 16000 40e213 15998->16000 16000->15995 16001 40e2a3 16001->15989 16002 40e095 4 API calls 16001->16002 16002->15989 16004 40dffc 16003->16004 16006 40e024 16003->16006 16005 40db2e 8 API calls 16004->16005 16004->16006 16005->16006 16006->15993 16008 40e172 16007->16008 16010 40e0c0 16007->16010 16008->16001 16009 40e13d 16011 40e14e RegDeleteValueA RegCloseKey 16009->16011 16010->16009 16012 40e115 RegSetValueExA 16010->16012 16011->16008 16012->16009 16012->16010 16014 403122 InterlockedExchange 16013->16014 16015 40312e 16014->16015 16016 40310f GetTickCount 16014->16016 16015->15915 16016->16015 16017 40311a Sleep 16016->16017 16017->16014 16019 40f04e 4 API calls 16018->16019 16026 403a83 16019->16026 16020 403ac1 16020->15919 16020->15922 16021 403be6 16023 40ec2e codecvt 4 API calls 16021->16023 16022 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16024 403bc0 16022->16024 16023->16020 16024->16021 16024->16022 16025 403b66 lstrlenA 16025->16020 16025->16026 16026->16020 16026->16024 16026->16025 16027->15937 16028->15934 16030 402419 4 API calls 16029->16030 16031 4024b6 16030->16031 16031->15954 16033 40dd79 lstrlenA 16032->16033 16033->15421 16035 404084 16034->16035 16036 40407d 16034->16036 16037 403ecd 6 API calls 16035->16037 16038 40408f 16037->16038 16039 404000 3 API calls 16038->16039 16041 404095 16039->16041 16040 404130 16042 403ecd 6 API calls 16040->16042 16041->16040 16046 403f18 4 API calls 16041->16046 16043 404159 CreateNamedPipeA 16042->16043 16044 404167 Sleep 16043->16044 16045 404188 ConnectNamedPipe 16043->16045 16044->16040 16049 404176 CloseHandle 16044->16049 16048 404195 GetLastError 16045->16048 16059 4041ab 16045->16059 16047 4040da 16046->16047 16050 403f8c 4 API calls 16047->16050 16051 40425e DisconnectNamedPipe 16048->16051 16048->16059 16049->16045 16052 4040ec 16050->16052 16051->16045 16053 404127 CloseHandle 16052->16053 16054 404101 16052->16054 16053->16040 16056 403f18 4 API calls 16054->16056 16055 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16055->16059 16057 40411c ExitProcess 16056->16057 16058 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16058->16059 16059->16045 16059->16051 16059->16055 16059->16058 16060 40426a CloseHandle CloseHandle 16059->16060 16061 40e318 23 API calls 16060->16061 16062 40427b 16061->16062 16062->16062 16064 408791 16063->16064 16065 40879f 16063->16065 16066 40f04e 4 API calls 16064->16066 16067 4087bc 16065->16067 16068 40f04e 4 API calls 16065->16068 16066->16065 16069 40e819 11 API calls 16067->16069 16068->16067 16070 4087d7 16069->16070 16082 408803 16070->16082 16084 4026b2 gethostbyaddr 16070->16084 16072 4087eb 16074 40e8a1 30 API calls 16072->16074 16072->16082 16074->16082 16077 40e819 11 API calls 16077->16082 16078 4088a0 Sleep 16078->16082 16079 4026b2 2 API calls 16079->16082 16080 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16080->16082 16082->16077 16082->16078 16082->16079 16082->16080 16083 40e8a1 30 API calls 16082->16083 16089 40c4d6 16082->16089 16092 40c4e2 16082->16092 16095 402011 16082->16095 16130 408328 16082->16130 16083->16082 16085 4026fb 16084->16085 16086 4026cd 16084->16086 16085->16072 16087 4026e1 inet_ntoa 16086->16087 16088 4026de 16086->16088 16087->16088 16088->16072 16182 40c2dc 16089->16182 16093 40c2dc 141 API calls 16092->16093 16094 40c4ec 16093->16094 16094->16082 16096 402020 16095->16096 16098 40202e 16095->16098 16097 40f04e 4 API calls 16096->16097 16097->16098 16099 40f04e 4 API calls 16098->16099 16100 40204b 16098->16100 16099->16100 16101 40206e GetTickCount 16100->16101 16102 40f04e 4 API calls 16100->16102 16103 4020db GetTickCount 16101->16103 16111 402090 16101->16111 16106 402068 16102->16106 16105 402132 GetTickCount GetTickCount 16103->16105 16114 4020e7 16103->16114 16104 4020d4 GetTickCount 16104->16103 16107 40f04e 4 API calls 16105->16107 16106->16101 16110 402159 16107->16110 16108 40212b GetTickCount 16108->16105 16109 402684 2 API calls 16109->16111 16112 4021b4 16110->16112 16116 40e854 13 API calls 16110->16116 16111->16104 16111->16109 16119 4020ce 16111->16119 16517 401978 16111->16517 16115 40f04e 4 API calls 16112->16115 16114->16108 16121 401978 15 API calls 16114->16121 16122 402125 16114->16122 16522 402ef8 16114->16522 16118 4021d1 16115->16118 16120 40218e 16116->16120 16123 4021f2 16118->16123 16125 40ea84 30 API calls 16118->16125 16119->16104 16124 40e819 11 API calls 16120->16124 16121->16114 16122->16108 16123->16082 16126 40219c 16124->16126 16127 4021ec 16125->16127 16126->16112 16530 401c5f 16126->16530 16128 40f04e 4 API calls 16127->16128 16128->16123 16131 407dd6 6 API calls 16130->16131 16132 40833c 16131->16132 16133 406ec3 2 API calls 16132->16133 16160 408340 16132->16160 16134 40834f 16133->16134 16135 40835c 16134->16135 16141 40846b 16134->16141 16136 4073ff 17 API calls 16135->16136 16157 408373 16136->16157 16137 4085df 16138 408626 GetTempPathA 16137->16138 16139 408638 16137->16139 16149 408762 16137->16149 16138->16139 16602 406ba7 IsBadCodePtr 16139->16602 16140 40675c 21 API calls 16140->16137 16142 4084a7 RegOpenKeyExA 16141->16142 16156 408450 16141->16156 16144 4084c0 RegQueryValueExA 16142->16144 16145 40852f 16142->16145 16147 408521 RegCloseKey 16144->16147 16148 4084dd 16144->16148 16150 408564 RegOpenKeyExA 16145->16150 16163 4085a5 16145->16163 16146 4086ad 16146->16149 16151 407e2f 6 API calls 16146->16151 16147->16145 16148->16147 16153 40ebcc 4 API calls 16148->16153 16155 40ec2e codecvt 4 API calls 16149->16155 16149->16160 16152 408573 RegSetValueExA RegCloseKey 16150->16152 16150->16163 16164 4086bb 16151->16164 16152->16163 16159 4084f0 16153->16159 16154 40875b DeleteFileA 16154->16149 16155->16160 16156->16137 16156->16140 16157->16156 16157->16160 16161 4083ea RegOpenKeyExA 16157->16161 16159->16147 16162 4084f8 RegQueryValueExA 16159->16162 16160->16082 16161->16156 16165 4083fd RegQueryValueExA 16161->16165 16162->16147 16166 408515 16162->16166 16163->16156 16167 40ec2e codecvt 4 API calls 16163->16167 16164->16154 16171 4086e0 lstrcpyA lstrlenA 16164->16171 16168 40842d RegSetValueExA 16165->16168 16169 40841e 16165->16169 16170 40ec2e codecvt 4 API calls 16166->16170 16167->16156 16172 408447 RegCloseKey 16168->16172 16169->16168 16169->16172 16173 40851d 16170->16173 16174 407fcf 64 API calls 16171->16174 16172->16156 16173->16147 16175 408719 CreateProcessA 16174->16175 16176 40873d CloseHandle CloseHandle 16175->16176 16177 40874f 16175->16177 16176->16149 16178 407ee6 64 API calls 16177->16178 16179 408754 16178->16179 16180 407ead 6 API calls 16179->16180 16181 40875a 16180->16181 16181->16154 16198 40a4c7 GetTickCount 16182->16198 16185 40c300 GetTickCount 16187 40c337 16185->16187 16186 40c326 16186->16187 16188 40c32b GetTickCount 16186->16188 16191 40c363 GetTickCount 16187->16191 16197 40c45e 16187->16197 16188->16187 16189 40c4d2 16189->16082 16190 40c4ab InterlockedIncrement CreateThread 16190->16189 16192 40c4cb CloseHandle 16190->16192 16203 40b535 16190->16203 16193 40c373 16191->16193 16191->16197 16192->16189 16194 40c378 GetTickCount 16193->16194 16195 40c37f 16193->16195 16194->16195 16196 40c43b GetTickCount 16195->16196 16196->16197 16197->16189 16197->16190 16199 40a4f7 InterlockedExchange 16198->16199 16200 40a500 16199->16200 16201 40a4e4 GetTickCount 16199->16201 16200->16185 16200->16186 16200->16197 16201->16200 16202 40a4ef Sleep 16201->16202 16202->16199 16204 40b566 16203->16204 16205 40ebcc 4 API calls 16204->16205 16206 40b587 16205->16206 16207 40ebcc 4 API calls 16206->16207 16254 40b590 16207->16254 16208 40bdcd InterlockedDecrement 16209 40bde2 16208->16209 16211 40ec2e codecvt 4 API calls 16209->16211 16212 40bdea 16211->16212 16213 40ec2e codecvt 4 API calls 16212->16213 16215 40bdf2 16213->16215 16214 40bdb7 Sleep 16214->16254 16216 40be05 16215->16216 16218 40ec2e codecvt 4 API calls 16215->16218 16217 40bdcc 16217->16208 16218->16216 16219 40ebed 8 API calls 16219->16254 16222 40b6b6 lstrlenA 16222->16254 16223 4030b5 2 API calls 16223->16254 16224 40b6ed lstrcpyA 16278 405ce1 16224->16278 16225 40e819 11 API calls 16225->16254 16228 40b731 lstrlenA 16228->16254 16229 40b71f lstrcmpA 16229->16228 16229->16254 16230 40b772 GetTickCount 16230->16254 16231 40bd49 InterlockedIncrement 16375 40a628 16231->16375 16234 40bc5b InterlockedIncrement 16234->16254 16235 40b7ce InterlockedIncrement 16288 40acd7 16235->16288 16238 40b912 GetTickCount 16238->16254 16239 40b826 InterlockedIncrement 16239->16230 16240 40b932 GetTickCount 16242 40bc6d InterlockedIncrement 16240->16242 16240->16254 16241 40bcdc closesocket 16241->16254 16242->16254 16243 405ce1 22 API calls 16243->16254 16244 4038f0 6 API calls 16244->16254 16247 40a7c1 22 API calls 16247->16254 16249 40bba6 InterlockedIncrement 16249->16254 16251 40bc4c closesocket 16251->16254 16252 40ab81 lstrcpynA InterlockedIncrement 16252->16254 16254->16208 16254->16214 16254->16217 16254->16219 16254->16222 16254->16223 16254->16224 16254->16225 16254->16228 16254->16229 16254->16230 16254->16231 16254->16234 16254->16235 16254->16238 16254->16239 16254->16240 16254->16241 16254->16243 16254->16244 16254->16247 16254->16249 16254->16251 16254->16252 16255 40ba71 wsprintfA 16254->16255 16257 40ef1e lstrlenA 16254->16257 16258 405ded 12 API calls 16254->16258 16260 403e10 16254->16260 16263 403e4f 16254->16263 16266 40384f 16254->16266 16286 40a7a3 inet_ntoa 16254->16286 16293 40abee 16254->16293 16305 401feb GetTickCount 16254->16305 16306 40a688 16254->16306 16329 403cfb 16254->16329 16332 40b3c5 16254->16332 16363 40ab81 16254->16363 16309 40a7c1 16255->16309 16257->16254 16258->16254 16261 4030fa 4 API calls 16260->16261 16262 403e1d 16261->16262 16262->16254 16264 4030fa 4 API calls 16263->16264 16265 403e5c 16264->16265 16265->16254 16267 4030fa 4 API calls 16266->16267 16269 403863 16267->16269 16268 4038b2 16268->16254 16269->16268 16270 4038b9 16269->16270 16271 403889 16269->16271 16384 4035f9 16270->16384 16378 403718 16271->16378 16276 403718 6 API calls 16276->16268 16277 4035f9 6 API calls 16277->16268 16279 405cf4 16278->16279 16280 405cec 16278->16280 16282 404bd1 4 API calls 16279->16282 16390 404bd1 GetTickCount 16280->16390 16283 405d02 16282->16283 16395 405472 16283->16395 16287 40a7b9 16286->16287 16287->16254 16289 40f315 14 API calls 16288->16289 16290 40aceb 16289->16290 16291 40acff 16290->16291 16292 40f315 14 API calls 16290->16292 16291->16254 16292->16291 16294 40abfb 16293->16294 16297 40ac65 16294->16297 16458 402f22 16294->16458 16296 40f315 14 API calls 16296->16297 16297->16296 16298 40ac8a 16297->16298 16299 40ac6f 16297->16299 16298->16254 16301 40ab81 2 API calls 16299->16301 16300 40ac23 16300->16297 16303 402684 2 API calls 16300->16303 16302 40ac81 16301->16302 16466 4038f0 16302->16466 16303->16300 16305->16254 16480 40a63d 16306->16480 16308 40a696 16308->16254 16310 40a87d lstrlenA send 16309->16310 16311 40a7df 16309->16311 16312 40a899 16310->16312 16313 40a8bf 16310->16313 16311->16310 16314 40a8f2 16311->16314 16319 40a7fa wsprintfA 16311->16319 16321 40a80a 16311->16321 16315 40a8a5 wsprintfA 16312->16315 16328 40a89e 16312->16328 16313->16314 16316 40a8c4 send 16313->16316 16317 40a978 recv 16314->16317 16320 40a9b0 wsprintfA 16314->16320 16322 40a982 16314->16322 16315->16328 16316->16314 16318 40a8d8 wsprintfA 16316->16318 16317->16314 16317->16322 16318->16328 16319->16321 16320->16328 16321->16310 16323 4030b5 2 API calls 16322->16323 16322->16328 16324 40ab05 16323->16324 16325 40e819 11 API calls 16324->16325 16326 40ab17 16325->16326 16327 40a7a3 inet_ntoa 16326->16327 16327->16328 16328->16254 16330 4030fa 4 API calls 16329->16330 16331 403d0b 16330->16331 16331->16254 16333 405ce1 22 API calls 16332->16333 16334 40b3e6 16333->16334 16335 405ce1 22 API calls 16334->16335 16336 40b404 16335->16336 16337 40b440 16336->16337 16338 40ef7c 3 API calls 16336->16338 16339 40ef7c 3 API calls 16337->16339 16340 40b42b 16338->16340 16341 40b458 wsprintfA 16339->16341 16342 40ef7c 3 API calls 16340->16342 16343 40ef7c 3 API calls 16341->16343 16342->16337 16344 40b480 16343->16344 16345 40ef7c 3 API calls 16344->16345 16346 40b493 16345->16346 16347 40ef7c 3 API calls 16346->16347 16348 40b4bb 16347->16348 16485 40ad89 GetLocalTime SystemTimeToFileTime 16348->16485 16352 40b4cc 16353 40ef7c 3 API calls 16352->16353 16354 40b4dd 16353->16354 16355 40b211 7 API calls 16354->16355 16356 40b4ec 16355->16356 16357 40ef7c 3 API calls 16356->16357 16358 40b4fd 16357->16358 16359 40b211 7 API calls 16358->16359 16360 40b509 16359->16360 16361 40ef7c 3 API calls 16360->16361 16362 40b51a 16361->16362 16362->16254 16364 40ab8c 16363->16364 16366 40abe9 GetTickCount 16363->16366 16365 40aba8 lstrcpynA 16364->16365 16364->16366 16367 40abe1 InterlockedIncrement 16364->16367 16365->16364 16368 40a51d 16366->16368 16367->16364 16369 40a4c7 4 API calls 16368->16369 16370 40a52c 16369->16370 16371 40a542 GetTickCount 16370->16371 16373 40a539 GetTickCount 16370->16373 16371->16373 16374 40a56c 16373->16374 16374->16254 16376 40a4c7 4 API calls 16375->16376 16377 40a633 16376->16377 16377->16254 16379 40f04e 4 API calls 16378->16379 16381 40372a 16379->16381 16380 403847 16380->16268 16380->16276 16381->16380 16382 4037b3 GetCurrentThreadId 16381->16382 16382->16381 16383 4037c8 GetCurrentThreadId 16382->16383 16383->16381 16385 40f04e 4 API calls 16384->16385 16386 40360c 16385->16386 16387 4036da GetCurrentThreadId 16386->16387 16388 4036f1 16386->16388 16387->16388 16389 4036e5 GetCurrentThreadId 16387->16389 16388->16268 16388->16277 16389->16388 16391 404bff InterlockedExchange 16390->16391 16392 404c08 16391->16392 16393 404bec GetTickCount 16391->16393 16392->16279 16393->16392 16394 404bf7 Sleep 16393->16394 16394->16391 16414 404763 16395->16414 16397 40548a 16398 405b58 16397->16398 16404 404ae6 8 API calls 16397->16404 16409 40558d lstrcpynA 16397->16409 16410 405a9f lstrcpyA 16397->16410 16411 405472 13 API calls 16397->16411 16412 405935 lstrcpynA 16397->16412 16413 4058e7 lstrcpyA 16397->16413 16418 404ae6 16397->16418 16422 40ef7c lstrlenA lstrlenA lstrlenA 16397->16422 16424 404699 16398->16424 16401 404763 lstrlenA 16402 405b6e 16401->16402 16445 404f9f 16402->16445 16404->16397 16405 405b79 16405->16254 16407 405549 lstrlenA 16407->16397 16409->16397 16410->16397 16411->16397 16412->16397 16413->16397 16415 40477a 16414->16415 16416 404859 16415->16416 16417 40480d lstrlenA 16415->16417 16416->16397 16417->16415 16419 404af3 16418->16419 16421 404b03 16418->16421 16420 40ebed 8 API calls 16419->16420 16420->16421 16421->16407 16423 40efb4 16422->16423 16423->16397 16450 4045b3 16424->16450 16427 4045b3 7 API calls 16428 4046c6 16427->16428 16429 4045b3 7 API calls 16428->16429 16430 4046d8 16429->16430 16431 4045b3 7 API calls 16430->16431 16432 4046ea 16431->16432 16433 4045b3 7 API calls 16432->16433 16434 4046ff 16433->16434 16435 4045b3 7 API calls 16434->16435 16436 404711 16435->16436 16437 4045b3 7 API calls 16436->16437 16438 404723 16437->16438 16439 40ef7c 3 API calls 16438->16439 16440 404735 16439->16440 16441 40ef7c 3 API calls 16440->16441 16442 40474a 16441->16442 16443 40ef7c 3 API calls 16442->16443 16444 40475c 16443->16444 16444->16401 16446 404fac 16445->16446 16449 404fb0 16445->16449 16446->16405 16447 404ffd 16447->16405 16448 404fd5 IsBadCodePtr 16448->16449 16449->16447 16449->16448 16451 4045c1 16450->16451 16452 4045c8 16450->16452 16453 40ebcc 4 API calls 16451->16453 16454 40ebcc 4 API calls 16452->16454 16456 4045e1 16452->16456 16453->16452 16454->16456 16455 404691 16455->16427 16456->16455 16457 40ef7c 3 API calls 16456->16457 16457->16456 16473 402d21 GetModuleHandleA 16458->16473 16461 402fcf GetProcessHeap HeapFree 16465 402f44 16461->16465 16462 402f85 16462->16461 16462->16462 16463 402f4f 16464 402f6b GetProcessHeap HeapFree 16463->16464 16464->16465 16465->16300 16467 403900 16466->16467 16472 403980 16466->16472 16468 4030fa 4 API calls 16467->16468 16469 40390a 16468->16469 16470 40391b GetCurrentThreadId 16469->16470 16471 403939 GetCurrentThreadId 16469->16471 16469->16472 16470->16469 16471->16469 16472->16298 16474 402d46 LoadLibraryA 16473->16474 16475 402d5b GetProcAddress 16473->16475 16474->16475 16478 402d54 16474->16478 16476 402d6b 16475->16476 16475->16478 16477 402d97 GetProcessHeap HeapAlloc 16476->16477 16476->16478 16479 402db5 lstrcpynA 16476->16479 16477->16476 16477->16478 16478->16462 16478->16463 16478->16465 16479->16476 16481 40a645 16480->16481 16482 40a64d 16480->16482 16481->16308 16483 40a66e 16482->16483 16484 40a65e GetTickCount 16482->16484 16483->16308 16484->16483 16486 40adbf 16485->16486 16510 40ad08 gethostname 16486->16510 16489 4030b5 2 API calls 16490 40add3 16489->16490 16491 40a7a3 inet_ntoa 16490->16491 16492 40ade4 16490->16492 16491->16492 16493 40ae85 wsprintfA 16492->16493 16496 40ae36 wsprintfA wsprintfA 16492->16496 16494 40ef7c 3 API calls 16493->16494 16495 40aebb 16494->16495 16498 40ef7c 3 API calls 16495->16498 16497 40ef7c 3 API calls 16496->16497 16497->16492 16499 40aed2 16498->16499 16500 40b211 16499->16500 16501 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16500->16501 16502 40b2af GetLocalTime 16500->16502 16503 40b2d2 16501->16503 16502->16503 16504 40b2d9 SystemTimeToFileTime 16503->16504 16505 40b31c GetTimeZoneInformation 16503->16505 16507 40b2ec 16504->16507 16506 40b33a wsprintfA 16505->16506 16506->16352 16508 40b312 FileTimeToSystemTime 16507->16508 16508->16505 16511 40ad71 16510->16511 16512 40ad26 lstrlenA 16510->16512 16514 40ad85 16511->16514 16515 40ad79 lstrcpyA 16511->16515 16512->16511 16516 40ad68 lstrlenA 16512->16516 16514->16489 16515->16514 16516->16511 16518 40f428 14 API calls 16517->16518 16519 40198a 16518->16519 16520 401990 closesocket 16519->16520 16521 401998 16519->16521 16520->16521 16521->16111 16523 402d21 6 API calls 16522->16523 16524 402f01 16523->16524 16527 402f0f 16524->16527 16538 402df2 GetModuleHandleA 16524->16538 16526 402684 2 API calls 16528 402f1d 16526->16528 16527->16526 16529 402f1f 16527->16529 16528->16114 16529->16114 16531 401c80 16530->16531 16532 401d1c 16531->16532 16533 401cc2 wsprintfA 16531->16533 16537 401d79 16531->16537 16532->16532 16535 401d47 wsprintfA 16532->16535 16534 402684 2 API calls 16533->16534 16534->16531 16536 402684 2 API calls 16535->16536 16536->16537 16537->16112 16539 402e10 LoadLibraryA 16538->16539 16540 402e0b 16538->16540 16541 402e17 16539->16541 16540->16539 16540->16541 16542 402ef1 16541->16542 16543 402e28 GetProcAddress 16541->16543 16542->16527 16543->16542 16544 402e3e GetProcessHeap HeapAlloc 16543->16544 16546 402e62 16544->16546 16545 402ede GetProcessHeap HeapFree 16545->16542 16546->16542 16546->16545 16547 402e7f htons inet_addr 16546->16547 16548 402ea5 gethostbyname 16546->16548 16550 402ceb 16546->16550 16547->16546 16547->16548 16548->16546 16551 402cf2 16550->16551 16553 402d1c 16551->16553 16554 402d0e Sleep 16551->16554 16555 402a62 GetProcessHeap HeapAlloc 16551->16555 16553->16546 16554->16551 16554->16553 16556 402a92 16555->16556 16557 402a99 socket 16555->16557 16556->16551 16558 402cd3 GetProcessHeap HeapFree 16557->16558 16559 402ab4 16557->16559 16558->16556 16559->16558 16573 402abd 16559->16573 16560 402adb htons 16575 4026ff 16560->16575 16562 402b04 select 16562->16573 16563 402ca4 16564 402cb3 GetProcessHeap HeapFree closesocket 16563->16564 16564->16556 16565 402b3f recv 16565->16573 16566 402b66 htons 16566->16563 16566->16573 16567 402b87 htons 16567->16563 16567->16573 16569 402bf3 GetProcessHeap HeapAlloc 16569->16573 16571 402c17 htons 16590 402871 16571->16590 16573->16560 16573->16562 16573->16563 16573->16564 16573->16565 16573->16566 16573->16567 16573->16569 16573->16571 16574 402c4d GetProcessHeap HeapFree 16573->16574 16582 402923 16573->16582 16594 402904 16573->16594 16574->16573 16576 402717 16575->16576 16578 40271d 16575->16578 16577 40ebcc 4 API calls 16576->16577 16577->16578 16579 40272b GetTickCount htons 16578->16579 16580 4027cc htons htons sendto 16579->16580 16581 40278a 16579->16581 16580->16573 16581->16580 16583 402944 16582->16583 16586 40293d 16582->16586 16598 402816 htons 16583->16598 16585 402950 16585->16586 16587 402871 htons 16585->16587 16588 4029bd htons htons htons 16585->16588 16586->16573 16587->16585 16588->16586 16589 4029f6 GetProcessHeap HeapAlloc 16588->16589 16589->16585 16589->16586 16591 4028e3 16590->16591 16593 402889 16590->16593 16591->16573 16592 4028c3 htons 16592->16591 16592->16593 16593->16591 16593->16592 16595 402921 16594->16595 16596 402908 16594->16596 16595->16573 16597 402909 GetProcessHeap HeapFree 16596->16597 16597->16595 16597->16597 16599 40286b 16598->16599 16600 402836 16598->16600 16599->16585 16600->16599 16601 40285c htons 16600->16601 16601->16599 16601->16600 16603 406bc0 16602->16603 16604 406bbc 16602->16604 16605 40ebcc 4 API calls 16603->16605 16615 406bd4 16603->16615 16604->16146 16606 406be4 16605->16606 16607 406c07 CreateFileA 16606->16607 16608 406bfc 16606->16608 16606->16615 16610 406c34 WriteFile 16607->16610 16611 406c2a 16607->16611 16609 40ec2e codecvt 4 API calls 16608->16609 16609->16615 16613 406c49 CloseHandle DeleteFileA 16610->16613 16614 406c5a CloseHandle 16610->16614 16612 40ec2e codecvt 4 API calls 16611->16612 16612->16615 16613->16611 16616 40ec2e codecvt 4 API calls 16614->16616 16615->16146 16616->16615 14936 2310005 14941 231092b GetPEB 14936->14941 14938 2310030 14943 231003c 14938->14943 14942 2310972 14941->14942 14942->14938 14944 2310049 14943->14944 14958 2310e0f SetErrorMode SetErrorMode 14944->14958 14949 2310265 14950 23102ce VirtualProtect 14949->14950 14952 231030b 14950->14952 14951 2310439 VirtualFree 14955 23105f4 LoadLibraryA 14951->14955 14956 23104be 14951->14956 14952->14951 14953 23104e3 LoadLibraryA 14953->14956 14957 23108c7 14955->14957 14956->14953 14956->14955 14959 2310223 14958->14959 14960 2310d90 14959->14960 14961 2310dad 14960->14961 14962 2310dbb GetPEB 14961->14962 14963 2310238 VirtualAlloc 14961->14963 14962->14963 14963->14949 14964 1b49333 14965 1b49342 14964->14965 14968 1b49ad3 14965->14968 14969 1b49aee 14968->14969 14970 1b49af7 CreateToolhelp32Snapshot 14969->14970 14971 1b49b13 Module32First 14969->14971 14970->14969 14970->14971 14972 1b49b22 14971->14972 14974 1b4934b 14971->14974 14975 1b49792 14972->14975 14976 1b497bd 14975->14976 14977 1b497ce VirtualAlloc 14976->14977 14978 1b49806 14976->14978 14977->14978 14978->14978
                                                                                                                                                                APIs
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                                                • DeleteFileA.KERNEL32(C:\Users\user\Desktop\OgcktrbHkI.exe), ref: 0040A407
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\OgcktrbHkI.exe$C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$D$P$\$kofydeki
                                                                                                                                                                • API String ID: 2089075347-1782248800
                                                                                                                                                                • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                                                                • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                                                                • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                                                                • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 522 40637c-406384 523 406386-406389 522->523 524 40638a-4063b4 GetModuleHandleA VirtualAlloc 522->524 525 4063f5-4063f7 524->525 526 4063b6-4063d4 call 40ee08 VirtualAllocEx 524->526 527 40640b-40640f 525->527 526->525 530 4063d6-4063f3 call 4062b7 WriteProcessMemory 526->530 530->525 533 4063f9-40640a 530->533 533->527
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                                                                • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                                                • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 305->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 383 4077e0-4077e2 378->383 384 4077de 378->384 379->378 383->359 384->383
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: "
                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                                                • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 386 231003c-2310047 387 2310049 386->387 388 231004c-2310263 call 2310a3f call 2310e0f call 2310d90 VirtualAlloc 386->388 387->388 403 2310265-2310289 call 2310a69 388->403 404 231028b-2310292 388->404 409 23102ce-23103c2 VirtualProtect call 2310cce call 2310ce7 403->409 406 23102a1-23102b0 404->406 408 23102b2-23102cc 406->408 406->409 408->406 415 23103d1-23103e0 409->415 416 23103e2-2310437 call 2310ce7 415->416 417 2310439-23104b8 VirtualFree 415->417 416->415 419 23105f4-23105fe 417->419 420 23104be-23104cd 417->420 423 2310604-231060d 419->423 424 231077f-2310789 419->424 422 23104d3-23104dd 420->422 422->419 428 23104e3-2310505 LoadLibraryA 422->428 423->424 429 2310613-2310637 423->429 426 23107a6-23107b0 424->426 427 231078b-23107a3 424->427 430 23107b6-23107cb 426->430 431 231086e-23108be LoadLibraryA 426->431 427->426 432 2310517-2310520 428->432 433 2310507-2310515 428->433 434 231063e-2310648 429->434 435 23107d2-23107d5 430->435 438 23108c7-23108f9 431->438 436 2310526-2310547 432->436 433->436 434->424 437 231064e-231065a 434->437 439 2310824-2310833 435->439 440 23107d7-23107e0 435->440 441 231054d-2310550 436->441 437->424 442 2310660-231066a 437->442 444 2310902-231091d 438->444 445 23108fb-2310901 438->445 443 2310839-231083c 439->443 446 23107e2 440->446 447 23107e4-2310822 440->447 448 23105e0-23105ef 441->448 449 2310556-231056b 441->449 450 231067a-2310689 442->450 443->431 451 231083e-2310847 443->451 445->444 446->439 447->435 448->422 454 231056d 449->454 455 231056f-231057a 449->455 452 2310750-231077a 450->452 453 231068f-23106b2 450->453 458 2310849 451->458 459 231084b-231086c 451->459 452->434 460 23106b4-23106ed 453->460 461 23106ef-23106fc 453->461 454->448 456 231059b-23105bb 455->456 457 231057c-2310599 455->457 469 23105bd-23105db 456->469 457->469 458->431 459->443 460->461 463 231074b 461->463 464 23106fe-2310748 461->464 463->450 464->463 469->441
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0231024D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                • Instruction ID: 7e658349ad4e2d10a3515a5c930ecc06e71732694fcc51982e59041b39fbfa7e
                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                • Instruction Fuzzy Hash: 06526A74A01229DFDB68CF58C984BACBBB5BF09304F1480D9E94DAB351DB30AA95CF14
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                                                                                • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 2098669666-2746444292
                                                                                                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1371578007-0
                                                                                                                                                                • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                                                • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 534 404000-404008 535 40400b-40402a CreateFileA 534->535 536 404057 535->536 537 40402c-404035 GetLastError 535->537 538 404059-40405c 536->538 539 404052 537->539 540 404037-40403a 537->540 542 404054-404056 538->542 539->542 540->539 541 40403c-40403f 540->541 541->538 543 404041-404050 Sleep 541->543 543->535 543->539
                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 408151869-0
                                                                                                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 545 406dc2-406dd5 546 406e33-406e35 545->546 547 406dd7-406df1 call 406cc9 call 40ef00 545->547 552 406df4-406df9 547->552 552->552 553 406dfb-406e00 552->553 554 406e02-406e22 GetVolumeInformationA 553->554 555 406e24 553->555 554->555 556 406e2e 554->556 555->556 556->546
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                                                • String ID: Xw
                                                                                                                                                                • API String ID: 1823874839-290828094
                                                                                                                                                                • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                                                • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 557 406e36-406e5d GetUserNameW 558 406ebe-406ec2 557->558 559 406e5f-406e95 LookupAccountNameW 557->559 559->558 560 406e97-406e9b 559->560 561 406ebb-406ebd 560->561 562 406e9d-406ea3 560->562 561->558 562->561 563 406ea5-406eaa 562->563 564 406eb7-406eb9 563->564 565 406eac-406eb0 563->565 564->558 565->561 566 406eb2-406eb5 565->566 566->561 566->564
                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2370142434-0
                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 567 1b49ad3-1b49aec 568 1b49aee-1b49af0 567->568 569 1b49af7-1b49b03 CreateToolhelp32Snapshot 568->569 570 1b49af2 568->570 571 1b49b05-1b49b0b 569->571 572 1b49b13-1b49b20 Module32First 569->572 570->569 571->572 577 1b49b0d-1b49b11 571->577 573 1b49b22-1b49b23 call 1b49792 572->573 574 1b49b29-1b49b31 572->574 578 1b49b28 573->578 577->568 577->572 578->574
                                                                                                                                                                APIs
                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 01B49AFB
                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 01B49B1B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B45000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_1b45000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                • Instruction ID: 361a133d80c5a9d458465358882b70accb6d04651527dab29cdb29cb02a30aa0
                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                • Instruction Fuzzy Hash: 67F062352007116FEB243AB9A88DB6B76E8EF4D668F504568E686D10C0DB70E8455661
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 580 2310e0f-2310e24 SetErrorMode * 2 581 2310e26 580->581 582 2310e2b-2310e2c 580->582 581->582
                                                                                                                                                                APIs
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,02310223,?,?), ref: 02310E19
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,02310223,?,?), ref: 02310E1E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                • Instruction ID: d62b7a4beade2913b5db3dbd4b9804181903281294fc2242620614750d44505c
                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                • Instruction Fuzzy Hash: BCD0123114512877DB002A95DC09BCD7B1CDF09B66F008011FB0DD9080C770954046E5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 583 409892-4098c0 584 4098c2-4098c5 583->584 585 4098d9 583->585 584->585 586 4098c7-4098d7 584->586 587 4098e0-4098f1 SetServiceStatus 585->587 586->587
                                                                                                                                                                APIs
                                                                                                                                                                • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ServiceStatus
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3969395364-0
                                                                                                                                                                • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                                                • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                                                                                • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                                                • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 588 1b49792-1b497cc call 1b49aa5 591 1b497ce-1b49801 VirtualAlloc call 1b4981f 588->591 592 1b4981a 588->592 594 1b49806-1b49818 591->594 592->592 594->592
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 01B497E3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B45000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_1b45000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                • Instruction ID: a834c87a22ab912ad6b47cefe11e42823467d494260ddadcef3589fa481ae2d3
                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                • Instruction Fuzzy Hash: 2F112D79A00208EFDB01DF98C985E99BBF5EF08751F05C094F9489B361D371EA50EB80
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 595 4098f2-4098f4 596 4098f6-409902 call 404280 595->596 599 409904-409913 Sleep 596->599 600 409917 596->600 599->596 601 409915 599->601 602 409919-409942 call 402544 call 40977c 600->602 603 40995e-409960 600->603 601->600 607 409947-409957 call 40ee2a 602->607 607->603
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateEventSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3100162736-0
                                                                                                                                                                • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                                                                • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                                                                                • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                                                                • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 023165F6
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02316610
                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02316631
                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02316652
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                • Instruction ID: 3170f5670fd1400a43442dc388588fd049888845910d3d678356c0555984b8b6
                                                                                                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                • Instruction Fuzzy Hash: EE117371600218BFDB259FA5DC46F9B3FACEB057A5F104024FA08E7250D7B1DD00CAA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 02319E6D
                                                                                                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 02319FE1
                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 02319FF2
                                                                                                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 0231A004
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0231A054
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0231A09F
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0231A0D6
                                                                                                                                                                • lstrcpy.KERNEL32 ref: 0231A12F
                                                                                                                                                                • lstrlen.KERNEL32(00000022), ref: 0231A13C
                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 02319F13
                                                                                                                                                                  • Part of subcall function 02317029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02317081
                                                                                                                                                                  • Part of subcall function 02316F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kofydeki,02317043), ref: 02316F4E
                                                                                                                                                                  • Part of subcall function 02316F30: GetProcAddress.KERNEL32(00000000), ref: 02316F55
                                                                                                                                                                  • Part of subcall function 02316F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02316F7B
                                                                                                                                                                  • Part of subcall function 02316F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02316F92
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0231A1A2
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0231A1C5
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0231A214
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0231A21B
                                                                                                                                                                • GetDriveTypeA.KERNEL32(?), ref: 0231A265
                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0231A29F
                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0231A2C5
                                                                                                                                                                • lstrcat.KERNEL32(?,00000022), ref: 0231A2D9
                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0231A2F4
                                                                                                                                                                • wsprintfA.USER32 ref: 0231A31D
                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0231A345
                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 0231A364
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0231A387
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0231A398
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0231A1D1
                                                                                                                                                                  • Part of subcall function 02319966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0231999D
                                                                                                                                                                  • Part of subcall function 02319966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 023199BD
                                                                                                                                                                  • Part of subcall function 02319966: RegCloseKey.ADVAPI32(?), ref: 023199C6
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0231A3DB
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0231A3E2
                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0231A41D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                                                                • String ID: "$"$"$D$P$\
                                                                                                                                                                • API String ID: 1653845638-2605685093
                                                                                                                                                                • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                • Instruction ID: 82ac90d7a508060eb73ae37154a705a98113c54803ddfb3096c338452fa329c4
                                                                                                                                                                • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                • Instruction Fuzzy Hash: F6F14EB1D41259AFDF25DBA0CD48FEF7BBCAB08305F0484A6E609E2141E7758A85CF64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$D
                                                                                                                                                                • API String ID: 2976863881-4275784296
                                                                                                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02317D21
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 02317D46
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02317D7D
                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02317DA2
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02317DC0
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 02317DD1
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02317DE5
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02317DF3
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02317E03
                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02317E12
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 02317E19
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02317E35
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$D
                                                                                                                                                                • API String ID: 2976863881-4275784296
                                                                                                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                • Instruction ID: ad09d0e3abbfeb8399ef95bc62685064a48aa8ce30a4a89f31db09f7cd17d2c2
                                                                                                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                • Instruction Fuzzy Hash: DEA15C71900219AFDF25CFA0DD88FEFBBB9FB08744F04816AE505E6150D7758A85CB64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                                                • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 02317A96
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02317ACD
                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 02317ADF
                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02317B01
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02317B1F
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 02317B39
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02317B4A
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02317B58
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02317B68
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02317B77
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 02317B7E
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02317B9A
                                                                                                                                                                • GetAce.ADVAPI32(?,?,?), ref: 02317BCA
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 02317BF1
                                                                                                                                                                • DeleteAce.ADVAPI32(?,?), ref: 02317C0A
                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 02317C2C
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02317CB1
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02317CBF
                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02317CD0
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02317CE0
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 02317CEE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction ID: bc31c73902cf4e2d493e5df7250bd3821d86c55abbc62122a6c5751c8fe9e6f4
                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                • Instruction Fuzzy Hash: B2814D71900219AFDB25CFA4DD84FEEFBB8AF08304F18806AE505E6150D7759681CB64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$localcfg
                                                                                                                                                                • API String ID: 237177642-3039148244
                                                                                                                                                                • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                                                • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                                                                                • API String ID: 1628651668-179334549
                                                                                                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                                                                • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                                                • API String ID: 835516345-270533642
                                                                                                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0231865A
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0231867B
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 023186A8
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 023186B1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                • String ID: "$C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
                                                                                                                                                                • API String ID: 237177642-1820161509
                                                                                                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                • Instruction ID: cff93fcabb00d2bcde662d5c60f93278ffa39ce72e008b1e48cda1135874903d
                                                                                                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                • Instruction Fuzzy Hash: 41C1A272900248BEFB25ABA4DD85EEF7BBDEF09304F144075F604E6050E7714A958F69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                                                • select.WS2_32 ref: 00402B28
                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1639031587-0
                                                                                                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 02311601
                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 023117D8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                • String ID: $<$@$D
                                                                                                                                                                • API String ID: 1628651668-1974347203
                                                                                                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                • Instruction ID: 872cee8d794dbd93f35a37c63cadaac210a0bbb517128ff6a8210d84671d8feb
                                                                                                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                • Instruction Fuzzy Hash: 0EF16AB15083419FD724DF64C888BAABBF9FB89304F00892DF6DA97290D7B49944CB56
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 023176D9
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02317757
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0231778F
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 023178B4
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0231794E
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0231796D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0231797E
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 023179AC
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 02317A56
                                                                                                                                                                  • Part of subcall function 0231F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0231772A,?), ref: 0231F414
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 023179F6
                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 02317A4D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: "
                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                • Instruction ID: 024d6bac869c7b67101c059a96f94f35e1f4a98929cb99493f1b8a0c9696cea4
                                                                                                                                                                • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                • Instruction Fuzzy Hash: 22C18172900209AFDB299FA4DC45FEEBBB9EF49310F1840A5E504E6190EB71DA84CB60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                                                                                                • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: $"
                                                                                                                                                                • API String ID: 4293430545-3817095088
                                                                                                                                                                • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                                                • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02312CED
                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 02312D07
                                                                                                                                                                • htons.WS2_32(00000000), ref: 02312D42
                                                                                                                                                                • select.WS2_32 ref: 02312D8F
                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 02312DB1
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02312E62
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 127016686-0
                                                                                                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                • Instruction ID: cceedd1950b7870d7536d5fb0bbaaf984dcefb17d6b2ecd3d1cb8c0688410f7a
                                                                                                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                • Instruction Fuzzy Hash: BD610371904329AFC3249F64DC08B6BBBF8FB88B45F004819FD8897151D7B4D880CBA6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                                                • API String ID: 929413710-2099955842
                                                                                                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                                                                                                • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2622201749-0
                                                                                                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                • String ID: runas
                                                                                                                                                                • API String ID: 3696105349-4000483414
                                                                                                                                                                • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                                                                • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2404124870-0
                                                                                                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02313068
                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02313078
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 02313095
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 023130B6
                                                                                                                                                                • htons.WS2_32(00000035), ref: 023130EF
                                                                                                                                                                • inet_addr.WS2_32(?), ref: 023130FA
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 0231310D
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 0231314D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                • String ID: iphlpapi.dll
                                                                                                                                                                • API String ID: 2869546040-3565520932
                                                                                                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                • Instruction ID: 32fcad1a1a5737e413af3e0aa11185c7259ba8489030eb8631b4ea70571f5b8d
                                                                                                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                • Instruction Fuzzy Hash: EC31C831A00306ABDF15ABB89C48BAE7BB8EF05764F1441B5F918E7290DB74D942CB58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32(?), ref: 023195A7
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 023195D5
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 023195DC
                                                                                                                                                                • wsprintfA.USER32 ref: 02319635
                                                                                                                                                                • wsprintfA.USER32 ref: 02319673
                                                                                                                                                                • wsprintfA.USER32 ref: 023196F4
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02319758
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0231978D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 023197D8
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3696105349-0
                                                                                                                                                                • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                • Instruction ID: 20bcb679ea5a24297ad5f16be0f6f9e7a8ddda233326bb837d36b85a9794c268
                                                                                                                                                                • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                • Instruction Fuzzy Hash: E3A17AB2900208AFEB29DFA0CC85FEA3BADEF04741F104026FA15E6151E7B5D584CFA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                                                • API String ID: 3560063639-3847274415
                                                                                                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                • API String ID: 1586166983-1625972887
                                                                                                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3188212458-0
                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 023167C3
                                                                                                                                                                • htonl.WS2_32(?), ref: 023167DF
                                                                                                                                                                • htonl.WS2_32(?), ref: 023167EE
                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 023168F1
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 023169BC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                                                                                • String ID: except_info$localcfg
                                                                                                                                                                • API String ID: 1150517154-3605449297
                                                                                                                                                                • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                • Instruction ID: b8a6fcf18d72d034f745008deca9ecb6269a7c77ab660ea3aec65ca9a824f495
                                                                                                                                                                • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                • Instruction Fuzzy Hash: 0E615D71A40208AFDB649FB4DC45FEA77F9FB08300F14806AFA6DD2161EB7599908F54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • htons.WS2_32(0231CC84), ref: 0231F5B4
                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0231F5CE
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0231F5DC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                • Instruction ID: 6c989e3a843b3cd77d3ba5f6be096fd8f50a2ab95f58b1992e99e58baa9fabcc
                                                                                                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                • Instruction Fuzzy Hash: D9316B72900218ABDB10DFA5DC89DEFBBBCFF89310F10456AF915E3150E7709A818BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(?), ref: 02312FA1
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 02312FB1
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02312FC8
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02313000
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02313007
                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02313032
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                • String ID: dnsapi.dll
                                                                                                                                                                • API String ID: 1242400761-3175542204
                                                                                                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                • Instruction ID: 96aec9603b22aa9c52f08962aa3122a39e52f6797b3ef7ccd23e7a82f3a47a9f
                                                                                                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                • Instruction Fuzzy Hash: FA217F71D01629BBCB269BA5DC48AEFBBBCEF08B50F004461F906E7540D7B49A8187E4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                                                • API String ID: 1082366364-3395550214
                                                                                                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02319A18
                                                                                                                                                                • GetThreadContext.KERNEL32(?,?), ref: 02319A52
                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 02319A60
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02319A98
                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 02319AB5
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 02319AC2
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                • Instruction ID: 199645ffdec109b0e3b94a60d7364e717577eb1efe1f6e2db66d4be9cdf882e6
                                                                                                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                • Instruction Fuzzy Hash: CA213BB1E01219BBDB219BA1DC09FEFBBBCEF08750F404061BA19E5090E7758A54CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(004102D8), ref: 02311C18
                                                                                                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 02311C26
                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 02311C84
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02311C9D
                                                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02311CC1
                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 02311D02
                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 02311D0B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2324436984-0
                                                                                                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                • Instruction ID: 7c1efc27342a9b4124f18e1a51ac878b737bb41cf15716d454e645c8fefa5af3
                                                                                                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                • Instruction Fuzzy Hash: 53316F31D00219BFCF159FE4DC889FEBBB9EB49705B24447AE645A2110D7B54E80DB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02316CE4
                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02316D22
                                                                                                                                                                • GetLastError.KERNEL32 ref: 02316DA7
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 02316DB5
                                                                                                                                                                • GetLastError.KERNEL32 ref: 02316DD6
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 02316DE7
                                                                                                                                                                • GetLastError.KERNEL32 ref: 02316DFD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3873183294-0
                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction ID: 5d01f6deee1bf76ba2904616b02413f118f6473335b2dec248ae99e99a857d95
                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                • Instruction Fuzzy Hash: 2A310F72901249BFCB15DFE4DD49ADEBFBEEB48300F14816AE611E3220D7708A958F61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kofydeki,02317043), ref: 02316F4E
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02316F55
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02316F7B
                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02316F92
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$\\.\pipe\kofydeki
                                                                                                                                                                • API String ID: 1082366364-994406173
                                                                                                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                • Instruction ID: b5536a03160088a6e02ca8bfa9ced71dd6d00da9111003fadb0549f1fa69a047
                                                                                                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                • Instruction Fuzzy Hash: 8C2132217403403AF73A93319C89FFB2E4C8F52764F1C80A9F804E6481EBDA84D686AD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                • String ID: $localcfg
                                                                                                                                                                • API String ID: 1659193697-2018645984
                                                                                                                                                                • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                                                                                • Instruction ID: ed1eb3a7798155bb3ba0db64decc83e6cb3749cc8e8bb1df18c8c35800297301
                                                                                                                                                                • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                                                                                                • Instruction Fuzzy Hash: DA714872A05308AADF399B58DC95FEE376DAB0171BF244027F904E2090DF6289C4CB55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0231DF6C: GetCurrentThreadId.KERNEL32 ref: 0231DFBA
                                                                                                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 0231E8FA
                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02316128), ref: 0231E950
                                                                                                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 0231E989
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                • API String ID: 2920362961-1846390581
                                                                                                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                • Instruction ID: 1b4b8e41c3909781dc5b104eec43e50af492a51d23194fa90138ec25c254dc94
                                                                                                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                • Instruction Fuzzy Hash: F5319C31A007159BDB798F24C884BA67BF8EB09725F00892AE99587559D37AE880CB91
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Code
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Code
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                • Instruction ID: b521294427fb2244cec21ef919f0ce7413a3205946e58c7e2db15339d996fc49
                                                                                                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                • Instruction Fuzzy Hash: A421A272104115FFDB289BB0FD49EDF3FADDB48A65B108525F502D1091EB71DA00DA74
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 023192E2
                                                                                                                                                                • wsprintfA.USER32 ref: 02319350
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02319375
                                                                                                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 02319389
                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 02319394
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0231939B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                • Instruction ID: a604d268723307e7f23cd70504a1540a5c11c21ef3a5adc97b16d2edf1a6c694
                                                                                                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                • Instruction Fuzzy Hash: A91184B17402147BE7386731EC0DFEF3A6EDBC8B11F018065BF09E5090EEB54A418A64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0231C6B4
                                                                                                                                                                • InterlockedIncrement.KERNEL32(0231C74B), ref: 0231C715
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0231C747), ref: 0231C728
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0231C747,00413588,02318A77), ref: 0231C733
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1026198776-1857712256
                                                                                                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                • Instruction ID: 0b886a2dcb72bd76124712c59fee5c2eb38783a10743e8a844f6a0f81d47711b
                                                                                                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                • Instruction Fuzzy Hash: BF513EB1A41B418FD7388F69C594626BBE9FB48304B546D3FE18BC7A90D774E844CB11
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
                                                                                                                                                                • API String ID: 124786226-872712706
                                                                                                                                                                • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                                                • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 023171E1
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02317228
                                                                                                                                                                • LocalFree.KERNEL32(?,?,?), ref: 02317286
                                                                                                                                                                • wsprintfA.USER32 ref: 0231729D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                                                                • String ID: |
                                                                                                                                                                • API String ID: 2539190677-2343686810
                                                                                                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                • Instruction ID: f9940bb84a16af4de135a1f94d4bae89cbd010a8284385b6887a8da90c8dd2e6
                                                                                                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                • Instruction Fuzzy Hash: 8D314972A00208BFCB15DFA8DC48BDA7BACEF04354F14C066F859DB201EB75D6498B94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1586453840-0
                                                                                                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0231B51A
                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0231B529
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0231B548
                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0231B590
                                                                                                                                                                • wsprintfA.USER32 ref: 0231B61E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4026320513-0
                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction ID: 20ef34d3d694c8eed09573c82f4ff0658f91735659d10d63758f8cd8210608e8
                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                • Instruction Fuzzy Hash: 915102B1D0021DAACF18DFD5D8845EEFBBABF48304F10816AF505A6150E7B94AC9CF98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02316303
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 0231632A
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 023163B1
                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02316405
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3498078134-0
                                                                                                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                • Instruction ID: 760d92e9daf39ffe07dc3a1e66fa2e9568191e3808850e0f0cfc6bb75b616ae5
                                                                                                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                • Instruction Fuzzy Hash: 71414C71A00205EBDB18CF99C886BA9B7BCEF04358F188569E865D72A1EB71E941CF50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                                                • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                • String ID: A$ A
                                                                                                                                                                • API String ID: 3343386518-686259309
                                                                                                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                  • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1802437671-0
                                                                                                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 023193C6
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 023193CD
                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 023193DB
                                                                                                                                                                • wsprintfA.USER32 ref: 02319410
                                                                                                                                                                  • Part of subcall function 023192CB: GetTempPathA.KERNEL32(00000400,?), ref: 023192E2
                                                                                                                                                                  • Part of subcall function 023192CB: wsprintfA.USER32 ref: 02319350
                                                                                                                                                                  • Part of subcall function 023192CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02319375
                                                                                                                                                                  • Part of subcall function 023192CB: lstrlen.KERNEL32(?,?,00000000), ref: 02319389
                                                                                                                                                                  • Part of subcall function 023192CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02319394
                                                                                                                                                                  • Part of subcall function 023192CB: CloseHandle.KERNEL32(00000000), ref: 0231939B
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02319448
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                • Instruction ID: 1b85353def23bf244e2469e1f6f9bf5d168ee67eecc0e7384ebb19f81c16d305
                                                                                                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                • Instruction Fuzzy Hash: DE015EF6900118BBDB31A7619D89FDF3B7CDB95701F0040A2BB49E2080EAB596C58F75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                • API String ID: 2574300362-1087626847
                                                                                                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                • API String ID: 2777991786-2393279970
                                                                                                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                • String ID: *p@
                                                                                                                                                                • API String ID: 3429775523-2474123842
                                                                                                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                • String ID: time_cfg$u6A
                                                                                                                                                                • API String ID: 1594361348-1940331995
                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction ID: 8a10975a228c5ac22b469985d9509b9e5e02c3d3c4afb7f5083f2890923dbef8
                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction Fuzzy Hash: 43E017306046219FDB549B2CF848ADA7BE5EF4A230F058595F894D72A0C774DCC1AB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 023169E5
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 02316A26
                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 02316A3A
                                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 02316BD8
                                                                                                                                                                  • Part of subcall function 0231EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02311DCF,?), ref: 0231EEA8
                                                                                                                                                                  • Part of subcall function 0231EE95: HeapFree.KERNEL32(00000000), ref: 0231EEAF
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3384756699-0
                                                                                                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                • Instruction ID: 6996ec927c0ccce7ddc80af1c44513b48da111a8f237b192ccd0bb95df287c89
                                                                                                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                • Instruction Fuzzy Hash: 5E71157190021DEFDB149FA5CC81AEEBBBDFB08318F10856AE515A6191D7709E92CF60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2667537340-0
                                                                                                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0231E50A,00000000,00000000,00000000,00020106,00000000,0231E50A,00000000,000000E4), ref: 0231E319
                                                                                                                                                                • RegSetValueExA.ADVAPI32(0231E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0231E38E
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0231E50A,?,?,?,?,?,000000C8,004122F8), ref: 0231E3BF
                                                                                                                                                                • RegCloseKey.ADVAPI32(0231E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0231E50A), ref: 0231E3C8
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2667537340-0
                                                                                                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                • Instruction ID: 0c0e42b64f0a4f4e9b20cba5bb3108c2bc836451fb71b4fec581a22c013102a6
                                                                                                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                • Instruction Fuzzy Hash: EE212C71A0021DABDF249FA5EC89EEE7F79EF08750F048461F905E6160E772CA54DBA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 023141AB
                                                                                                                                                                • GetLastError.KERNEL32 ref: 023141B5
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 023141C6
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 023141D9
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction ID: 36087a2d0e49a3b5ad81e2265dc8d9adca3ebde9d8821292b9acb0c7d85206fa
                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                • Instruction Fuzzy Hash: C801E97651110AABDF02DF94ED84BEE7B6CEB18355F404061FA01F2050D7709A658BB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0231421F
                                                                                                                                                                • GetLastError.KERNEL32 ref: 02314229
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 0231423A
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0231424D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction ID: 60599591a70d5581776e4706aa48a394cb57f197898fa254c71ba25d4bcd0242
                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                • Instruction Fuzzy Hash: DF01C872521109AFDF05DF90ED84BEF7BACEB08355F108461FA01E2050D770DA958BB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 0231E066
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp
                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                • API String ID: 1534048567-1846390581
                                                                                                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                • Instruction ID: 740bac450fbc1de6fed39bb85517740eaaaa1d23a203fa2e6ed2c24a3c02ce45
                                                                                                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                • Instruction Fuzzy Hash: 52F09072600702DBCB34CF26D884A82B7E9FF09325B448A2BE968C3060D375E4D8CB51
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 023183C6
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02318477
                                                                                                                                                                  • Part of subcall function 023169C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 023169E5
                                                                                                                                                                  • Part of subcall function 023169C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02316A26
                                                                                                                                                                  • Part of subcall function 023169C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02316A3A
                                                                                                                                                                  • Part of subcall function 0231EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02311DCF,?), ref: 0231EEA8
                                                                                                                                                                  • Part of subcall function 0231EE95: HeapFree.KERNEL32(00000000), ref: 0231EEAF
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
                                                                                                                                                                • API String ID: 359188348-872712706
                                                                                                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                • Instruction ID: 41d699fdd0330754149400824db2863d9ab31cf4b69c515bd82244e2a995fe8b
                                                                                                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                • Instruction Fuzzy Hash: B64160B2A01119BFEB28EBA09D81EFF777DEB04344F1444A6E904D6110FFB15A958B68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0231AFFF
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0231B00D
                                                                                                                                                                  • Part of subcall function 0231AF6F: gethostname.WS2_32(?,00000080), ref: 0231AF83
                                                                                                                                                                  • Part of subcall function 0231AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0231AFE6
                                                                                                                                                                  • Part of subcall function 0231331C: gethostname.WS2_32(?,00000080), ref: 0231333F
                                                                                                                                                                  • Part of subcall function 0231331C: gethostbyname.WS2_32(?), ref: 02313349
                                                                                                                                                                  • Part of subcall function 0231AA0A: inet_ntoa.WS2_32(00000000), ref: 0231AA10
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                • String ID: %OUTLOOK_BND_
                                                                                                                                                                • API String ID: 1981676241-3684217054
                                                                                                                                                                • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                                                                                • Instruction ID: df24c1fe04f5c28378224dccc93939e64d0504ce84c232cddff33cc5f64dd18d
                                                                                                                                                                • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                                                                                                • Instruction Fuzzy Hash: DC410DB290434CABDB29EFA0DC45EEE3BADFB08304F14442AF92992151EB75E6548F54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02319536
                                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 0231955D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4194306370-3916222277
                                                                                                                                                                • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                • Instruction ID: 6a0924702462506a50e2ae75fbb5a169163e4c4f26a989b3d666cdb86c9eb4d9
                                                                                                                                                                • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                • Instruction Fuzzy Hash: 9E411671908384AFFB3E8B68DCAD7B63FE89B02314F1901A5D482A71A2DBB44981C711
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                                                • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                • String ID: ,k@
                                                                                                                                                                • API String ID: 3934441357-1053005162
                                                                                                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0231B9D9
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 0231BA3A
                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0231BA94
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0231BB79
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0231BB99
                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0231BE15
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0231BEB4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 1869671989-2903620461
                                                                                                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                • Instruction ID: febf6481257708ae7d4f4d8ae98b42196936bfb6b563b8f3c75a73b20a3918e4
                                                                                                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                • Instruction Fuzzy Hash: 27319F71504248DFDF29DFA4EC84BEDB7BAEB48705F20405AFA2482161DB71D685CF60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 023170BC
                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 023170F4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                • String ID: |
                                                                                                                                                                • API String ID: 2370142434-2343686810
                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction ID: 6ad58614475d668813bc8f1db1ce0b75987da9e6e072d3c9ee00da5709f3e903
                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                • Instruction Fuzzy Hash: DB11FA72904118EBDB15CBE4DC84ADEB7BDAB08715F2841B6E501E6194D7709B89CBA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2777991786-1857712256
                                                                                                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                                                                                • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_400000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 02312F88: GetModuleHandleA.KERNEL32(?), ref: 02312FA1
                                                                                                                                                                  • Part of subcall function 02312F88: LoadLibraryA.KERNEL32(?), ref: 02312FB1
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 023131DA
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 023131E1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_11_2_2310000_pspizbvl.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                • Instruction ID: 465b6aeb7e2e64cccf4ab07b83d51eeb3a40dab821b2fee99c39a8314a24e8e3
                                                                                                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                • Instruction Fuzzy Hash: 19519E7191024AEFCB19AF64D884AFAB775FF05304F1445A9EC96C7210E732DA1ACB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:15%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0.7%
                                                                                                                                                                Total number of Nodes:1806
                                                                                                                                                                Total number of Limit Nodes:18
                                                                                                                                                                execution_graph 7914 cd5e4d 7919 cd5048 7914->7919 7920 cd4bd1 4 API calls 7919->7920 7921 cd5056 7920->7921 7922 cdec2e codecvt 4 API calls 7921->7922 7923 cd508b 7921->7923 7922->7923 8061 cd5e0d 8064 cd50dc 8061->8064 8063 cd5e20 8065 cd4bd1 4 API calls 8064->8065 8066 cd50f2 8065->8066 8067 cd4ae6 8 API calls 8066->8067 8073 cd50ff 8067->8073 8068 cd5130 8070 cd4ae6 8 API calls 8068->8070 8069 cd4ae6 8 API calls 8071 cd5110 lstrcmpA 8069->8071 8072 cd5138 8070->8072 8071->8068 8071->8073 8074 cd516e 8072->8074 8076 cd513e 8072->8076 8077 cd4ae6 8 API calls 8072->8077 8073->8068 8073->8069 8075 cd4ae6 8 API calls 8073->8075 8074->8076 8079 cd4ae6 8 API calls 8074->8079 8075->8073 8076->8063 8078 cd515e 8077->8078 8078->8074 8081 cd4ae6 8 API calls 8078->8081 8080 cd51b6 8079->8080 8107 cd4a3d 8080->8107 8081->8074 8084 cd4ae6 8 API calls 8085 cd51c7 8084->8085 8086 cd4ae6 8 API calls 8085->8086 8087 cd51d7 8086->8087 8088 cd4ae6 8 API calls 8087->8088 8089 cd51e7 8088->8089 8089->8076 8090 cd4ae6 8 API calls 8089->8090 8091 cd5219 8090->8091 8092 cd4ae6 8 API calls 8091->8092 8093 cd5227 8092->8093 8094 cd4ae6 8 API calls 8093->8094 8095 cd524f lstrcpyA 8094->8095 8096 cd4ae6 8 API calls 8095->8096 8097 cd5263 8096->8097 8098 cd4ae6 8 API calls 8097->8098 8099 cd5315 8098->8099 8100 cd4ae6 8 API calls 8099->8100 8101 cd5323 8100->8101 8102 cd4ae6 8 API calls 8101->8102 8104 cd5331 8102->8104 8103 cd4ae6 8 API calls 8103->8104 8104->8076 8104->8103 8105 cd4ae6 8 API calls 8104->8105 8106 cd5351 lstrcmpA 8105->8106 8106->8076 8106->8104 8108 cd4a4a 8107->8108 8109 cd4a53 8107->8109 8111 cdebed 8 API calls 8108->8111 8110 cd4a78 8109->8110 8112 cdebed 8 API calls 8109->8112 8113 cd4a8e 8110->8113 8114 cd4aa3 8110->8114 8111->8109 8112->8110 8115 cd4a9b 8113->8115 8116 cdec2e codecvt 4 API calls 8113->8116 8114->8115 8117 cdebed 8 API calls 8114->8117 8115->8084 8116->8115 8117->8115 8118 cd4c0d 8119 cd4ae6 8 API calls 8118->8119 8120 cd4c17 8119->8120 7924 cde749 7925 cddd05 6 API calls 7924->7925 7926 cde751 7925->7926 7927 cde781 lstrcmpA 7926->7927 7928 cde799 7926->7928 7927->7926 7929 cd444a 7930 cd4458 7929->7930 7931 cd446a 7930->7931 7933 cd1940 7930->7933 7934 cdec2e codecvt 4 API calls 7933->7934 7935 cd1949 7934->7935 7935->7931 8134 cd5c05 IsBadWritePtr 8135 cd5c24 IsBadWritePtr 8134->8135 8142 cd5ca6 8134->8142 8136 cd5c32 8135->8136 8135->8142 8137 cd5c82 8136->8137 8138 cd4bd1 4 API calls 8136->8138 8139 cd4bd1 4 API calls 8137->8139 8138->8137 8140 cd5c90 8139->8140 8141 cd5472 18 API calls 8140->8141 8141->8142 8143 cd5b84 IsBadWritePtr 8144 cd5b99 8143->8144 8145 cd5b9d 8143->8145 8146 cd4bd1 4 API calls 8145->8146 8147 cd5bcc 8146->8147 8148 cd5472 18 API calls 8147->8148 8149 cd5be5 8148->8149 8150 cdf304 8153 cdf26d setsockopt setsockopt setsockopt setsockopt setsockopt 8150->8153 8152 cdf312 8153->8152 8154 cdf483 WSAStartup 8155 cd5099 8156 cd4bd1 4 API calls 8155->8156 8157 cd50a2 8156->8157 7936 cd195b 7937 cd196b 7936->7937 7938 cd1971 7936->7938 7939 cdec2e codecvt 4 API calls 7937->7939 7939->7938 8158 cd8314 8159 cd675c 21 API calls 8158->8159 8160 cd8324 8159->8160 7940 cd8c51 7941 cd8c5d 7940->7941 7942 cd8c86 7940->7942 7946 cd8c7d 7941->7946 7947 cd8c6e 7941->7947 7943 cd8c8b lstrcmpA 7942->7943 7953 cd8c7b 7942->7953 7944 cd8c9e 7943->7944 7943->7953 7945 cd8cad 7944->7945 7948 cdec2e codecvt 4 API calls 7944->7948 7952 cdebcc 4 API calls 7945->7952 7945->7953 7962 cd8bb3 7946->7962 7954 cd8be7 7947->7954 7948->7945 7952->7953 7955 cd8bf2 7954->7955 7956 cd8c2a 7954->7956 7957 cd8bb3 6 API calls 7955->7957 7956->7953 7958 cd8bf8 7957->7958 7966 cd6410 7958->7966 7960 cd8c01 7960->7956 7981 cd6246 7960->7981 7963 cd8be4 7962->7963 7964 cd8bbc 7962->7964 7964->7963 7965 cd6246 6 API calls 7964->7965 7965->7963 7967 cd641e 7966->7967 7968 cd6421 7966->7968 7967->7960 7969 cd643a 7968->7969 7970 cd643e VirtualAlloc 7968->7970 7969->7960 7971 cd645b VirtualAlloc 7970->7971 7972 cd6472 7970->7972 7971->7972 7979 cd64fb 7971->7979 7973 cdebcc 4 API calls 7972->7973 7974 cd6479 7973->7974 7974->7979 7991 cd6069 7974->7991 7978 cd6246 6 API calls 7978->7979 7979->7960 7980 cd64da 7980->7978 7980->7979 7982 cd62b3 7981->7982 7985 cd6252 7981->7985 7982->7956 7983 cd6297 7986 cd62ad 7983->7986 7987 cd62a0 VirtualFree 7983->7987 7984 cd628f 7990 cdec2e codecvt 4 API calls 7984->7990 7985->7983 7985->7984 7989 cd6281 FreeLibrary 7985->7989 7988 cdec2e codecvt 4 API calls 7986->7988 7987->7986 7988->7982 7989->7985 7990->7983 7992 cd6090 IsBadReadPtr 7991->7992 7994 cd6089 7991->7994 7992->7994 7998 cd60aa 7992->7998 7993 cd60c0 LoadLibraryA 7993->7994 7993->7998 7994->7980 8001 cd5f3f 7994->8001 7995 cdebcc 4 API calls 7995->7998 7996 cdebed 8 API calls 7996->7998 7997 cd6191 IsBadReadPtr 7997->7994 7997->7998 7998->7993 7998->7994 7998->7995 7998->7996 7998->7997 7999 cd6155 GetProcAddress 7998->7999 8000 cd6141 GetProcAddress 7998->8000 7999->7998 8000->7998 8002 cd5fe6 8001->8002 8003 cd5f61 8001->8003 8002->7980 8003->8002 8004 cd5fbf VirtualProtect 8003->8004 8004->8002 8004->8003 8161 cd6511 wsprintfA IsBadReadPtr 8162 cd674e 8161->8162 8163 cd656a htonl htonl wsprintfA wsprintfA 8161->8163 8164 cde318 23 API calls 8162->8164 8168 cd65f3 8163->8168 8165 cd6753 ExitProcess 8164->8165 8166 cd668a GetCurrentProcess StackWalk64 8167 cd66a0 wsprintfA 8166->8167 8166->8168 8169 cd66ba 8167->8169 8168->8166 8168->8167 8170 cd6652 wsprintfA 8168->8170 8171 cd6712 wsprintfA 8169->8171 8173 cd66ed wsprintfA 8169->8173 8174 cd66da wsprintfA 8169->8174 8170->8168 8172 cde8a1 30 API calls 8171->8172 8175 cd6739 8172->8175 8173->8169 8174->8173 8176 cde318 23 API calls 8175->8176 8177 cd6741 8176->8177 8005 cd4ed3 8010 cd4c9a 8005->8010 8011 cd4ca9 8010->8011 8013 cd4cd8 8010->8013 8012 cdec2e codecvt 4 API calls 8011->8012 8012->8013 8014 cd5453 8019 cd543a 8014->8019 8020 cd5048 8 API calls 8019->8020 8021 cd544b 8020->8021 8178 cd5d93 IsBadWritePtr 8179 cd5ddc 8178->8179 8181 cd5da8 8178->8181 8181->8179 8182 cd5389 8181->8182 8183 cd4bd1 4 API calls 8182->8183 8184 cd53a5 8183->8184 8185 cd4ae6 8 API calls 8184->8185 8188 cd53ad 8185->8188 8186 cd5407 8186->8179 8187 cd4ae6 8 API calls 8187->8188 8188->8186 8188->8187 8022 cd43d2 8023 cd43e0 8022->8023 8024 cd43ef 8023->8024 8025 cd1940 4 API calls 8023->8025 8025->8024 8189 cd4e92 GetTickCount 8190 cd4ec0 InterlockedExchange 8189->8190 8191 cd4ead GetTickCount 8190->8191 8192 cd4ec9 8190->8192 8191->8192 8193 cd4eb8 Sleep 8191->8193 8193->8190 8194 cd5029 8199 cd4a02 8194->8199 8200 cd4a18 8199->8200 8201 cd4a12 8199->8201 8203 cd4a26 8200->8203 8204 cdec2e codecvt 4 API calls 8200->8204 8202 cdec2e codecvt 4 API calls 8201->8202 8202->8200 8205 cd4a34 8203->8205 8206 cdec2e codecvt 4 API calls 8203->8206 8204->8203 8206->8205 6142 cd9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6258 cdec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6142->6258 6144 cd9a95 6145 cd9aa3 GetModuleHandleA GetModuleFileNameA 6144->6145 6151 cda3cc 6144->6151 6153 cd9ac4 6145->6153 6146 cda41c CreateThread WSAStartup 6259 cde52e 6146->6259 7333 cd405e CreateEventA 6146->7333 6147 cd9afd GetCommandLineA 6158 cd9b22 6147->6158 6148 cda406 DeleteFileA 6150 cda40d 6148->6150 6148->6151 6150->6146 6151->6146 6151->6148 6151->6150 6154 cda3ed GetLastError 6151->6154 6152 cda445 6278 cdeaaf 6152->6278 6153->6147 6154->6150 6156 cda3f8 Sleep 6154->6156 6156->6148 6157 cda44d 6282 cd1d96 6157->6282 6163 cd9c0c 6158->6163 6169 cd9b47 6158->6169 6160 cda457 6330 cd80c9 6160->6330 6522 cd96aa 6163->6522 6173 cd9b96 lstrlenA 6169->6173 6179 cd9b58 6169->6179 6170 cd9c39 6174 cda167 GetModuleHandleA GetModuleFileNameA 6170->6174 6528 cd4280 CreateEventA 6170->6528 6171 cda1d2 6175 cda1e3 GetCommandLineA 6171->6175 6173->6179 6177 cda189 6174->6177 6178 cd9c05 ExitProcess 6174->6178 6202 cda205 6175->6202 6177->6178 6187 cda1b2 GetDriveTypeA 6177->6187 6179->6178 6481 cd675c 6179->6481 6187->6178 6189 cda1c5 6187->6189 6188 cd675c 21 API calls 6190 cd9c79 6188->6190 6629 cd9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6189->6629 6190->6174 6197 cd9e3e 6190->6197 6198 cd9ca0 GetTempPathA 6190->6198 6192 cd9bff 6192->6178 6194 cda49f GetTickCount 6195 cda491 6194->6195 6199 cda4be Sleep 6194->6199 6195->6194 6195->6199 6201 cda4b7 GetTickCount 6195->6201 6377 cdc913 6195->6377 6208 cd9e6b GetEnvironmentVariableA 6197->6208 6210 cd9e04 6197->6210 6198->6197 6200 cd9cba 6198->6200 6199->6195 6554 cd99d2 lstrcpyA 6200->6554 6201->6199 6205 cda285 lstrlenA 6202->6205 6219 cda239 6202->6219 6205->6219 6209 cd9e7d 6208->6209 6208->6210 6211 cd99d2 16 API calls 6209->6211 6624 cdec2e 6210->6624 6212 cd9e9d 6211->6212 6212->6210 6217 cd9eb0 lstrcpyA lstrlenA 6212->6217 6215 cd9d5f 6568 cd6cc9 6215->6568 6216 cda3c2 6641 cd98f2 6216->6641 6218 cd9ef4 6217->6218 6222 cd6dc2 6 API calls 6218->6222 6226 cd9f03 6218->6226 6219->6219 6637 cd6ec3 6219->6637 6222->6226 6223 cda39d StartServiceCtrlDispatcherA 6223->6216 6224 cd9d72 lstrcpyA lstrcatA lstrcatA 6228 cd9cf6 6224->6228 6225 cda3c7 6225->6151 6227 cd9f32 RegOpenKeyExA 6226->6227 6230 cd9f48 RegSetValueExA RegCloseKey 6227->6230 6233 cd9f70 6227->6233 6577 cd9326 6228->6577 6229 cda35f 6229->6216 6229->6223 6230->6233 6238 cd9f9d GetModuleHandleA GetModuleFileNameA 6233->6238 6234 cd9dde GetFileAttributesExA 6235 cd9e0c DeleteFileA 6234->6235 6236 cd9df7 6234->6236 6235->6197 6236->6210 6614 cd96ff 6236->6614 6240 cda093 6238->6240 6241 cd9fc2 6238->6241 6242 cda103 CreateProcessA 6240->6242 6243 cda0a4 wsprintfA 6240->6243 6241->6240 6247 cd9ff1 GetDriveTypeA 6241->6247 6244 cda13a 6242->6244 6245 cda12a DeleteFileA 6242->6245 6620 cd2544 6243->6620 6244->6210 6250 cd96ff 3 API calls 6244->6250 6245->6244 6247->6240 6249 cda00d 6247->6249 6253 cda02d lstrcatA 6249->6253 6250->6210 6254 cda046 6253->6254 6255 cda064 lstrcatA 6254->6255 6256 cda052 lstrcatA 6254->6256 6255->6240 6257 cda081 lstrcatA 6255->6257 6256->6255 6257->6240 6258->6144 6648 cddd05 GetTickCount 6259->6648 6261 cde538 6656 cddbcf 6261->6656 6263 cde544 6264 cde555 GetFileSize 6263->6264 6268 cde5b8 6263->6268 6265 cde566 6264->6265 6266 cde5b1 CloseHandle 6264->6266 6680 cddb2e 6265->6680 6266->6268 6666 cde3ca RegOpenKeyExA 6268->6666 6270 cde576 ReadFile 6270->6266 6271 cde58d 6270->6271 6684 cde332 6271->6684 6275 cde629 6275->6152 6276 cde5f2 6276->6275 6277 cde3ca 19 API calls 6276->6277 6277->6275 6279 cdeabe 6278->6279 6281 cdeaba 6278->6281 6280 cddd05 6 API calls 6279->6280 6279->6281 6280->6281 6281->6157 6283 cdee2a 6282->6283 6284 cd1db4 GetVersionExA 6283->6284 6285 cd1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6284->6285 6287 cd1e24 6285->6287 6288 cd1e16 GetCurrentProcess 6285->6288 6742 cde819 6287->6742 6288->6287 6290 cd1e3d 6291 cde819 11 API calls 6290->6291 6292 cd1e4e 6291->6292 6293 cd1e77 6292->6293 6783 cddf70 6292->6783 6749 cdea84 6293->6749 6297 cd1e6c 6299 cddf70 12 API calls 6297->6299 6298 cde819 11 API calls 6300 cd1e93 6298->6300 6299->6293 6753 cd199c inet_addr LoadLibraryA 6300->6753 6303 cde819 11 API calls 6304 cd1eb9 6303->6304 6306 cdf04e 4 API calls 6304->6306 6311 cd1ed8 6304->6311 6305 cde819 11 API calls 6307 cd1eee 6305->6307 6308 cd1ec9 6306->6308 6310 cd1f0a 6307->6310 6767 cd1b71 6307->6767 6309 cdea84 30 API calls 6308->6309 6309->6311 6313 cde819 11 API calls 6310->6313 6311->6305 6315 cd1f23 6313->6315 6314 cd1efd 6316 cdea84 30 API calls 6314->6316 6317 cd1f3f 6315->6317 6771 cd1bdf 6315->6771 6316->6310 6318 cde819 11 API calls 6317->6318 6320 cd1f5e 6318->6320 6323 cd1f77 6320->6323 6324 cdea84 30 API calls 6320->6324 6322 cdea84 30 API calls 6322->6317 6779 cd30b5 6323->6779 6324->6323 6328 cd6ec3 2 API calls 6329 cd1f8e GetTickCount 6328->6329 6329->6160 6331 cd6ec3 2 API calls 6330->6331 6332 cd80eb 6331->6332 6333 cd80ef 6332->6333 6334 cd80f9 6332->6334 6837 cd7ee6 6333->6837 6850 cd704c 6334->6850 6337 cd8269 CreateThread 6356 cd5e6c 6337->6356 7311 cd877e 6337->7311 6338 cd80f4 6338->6337 6340 cd675c 21 API calls 6338->6340 6339 cd8110 6339->6338 6341 cd8156 RegOpenKeyExA 6339->6341 6346 cd8244 6340->6346 6342 cd816d RegQueryValueExA 6341->6342 6343 cd8216 6341->6343 6344 cd818d 6342->6344 6345 cd81f7 6342->6345 6343->6338 6344->6345 6350 cdebcc 4 API calls 6344->6350 6347 cd820d RegCloseKey 6345->6347 6349 cdec2e codecvt 4 API calls 6345->6349 6346->6337 6348 cdec2e codecvt 4 API calls 6346->6348 6347->6343 6348->6337 6355 cd81dd 6349->6355 6351 cd81a0 6350->6351 6351->6347 6352 cd81aa RegQueryValueExA 6351->6352 6352->6345 6353 cd81c4 6352->6353 6354 cdebcc 4 API calls 6353->6354 6354->6355 6355->6347 6952 cdec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6356->6952 6358 cd5e71 6953 cde654 6358->6953 6360 cd5ec1 6361 cd3132 6360->6361 6362 cddf70 12 API calls 6361->6362 6363 cd313b 6362->6363 6364 cdc125 6363->6364 6964 cdec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6364->6964 6366 cdc12d 6367 cde654 13 API calls 6366->6367 6368 cdc2bd 6367->6368 6369 cde654 13 API calls 6368->6369 6370 cdc2c9 6369->6370 6371 cde654 13 API calls 6370->6371 6372 cda47a 6371->6372 6373 cd8db1 6372->6373 6374 cd8dbc 6373->6374 6375 cde654 13 API calls 6374->6375 6376 cd8dec Sleep 6375->6376 6376->6195 6378 cdc92f 6377->6378 6379 cdc93c 6378->6379 6976 cdc517 6378->6976 6381 cdca2b 6379->6381 6382 cde819 11 API calls 6379->6382 6381->6195 6383 cdc96a 6382->6383 6384 cde819 11 API calls 6383->6384 6385 cdc97d 6384->6385 6386 cde819 11 API calls 6385->6386 6387 cdc990 6386->6387 6388 cdc9aa 6387->6388 6389 cdebcc 4 API calls 6387->6389 6388->6381 6965 cd2684 6388->6965 6389->6388 6394 cdca26 6993 cdc8aa 6394->6993 6397 cdca44 6398 cdca4b closesocket 6397->6398 6399 cdca83 6397->6399 6398->6394 6400 cdea84 30 API calls 6399->6400 6401 cdcaac 6400->6401 6402 cdf04e 4 API calls 6401->6402 6403 cdcab2 6402->6403 6404 cdea84 30 API calls 6403->6404 6405 cdcaca 6404->6405 6406 cdea84 30 API calls 6405->6406 6407 cdcad9 6406->6407 6997 cdc65c 6407->6997 6410 cdcb60 closesocket 6410->6381 6412 cddad2 closesocket 6413 cde318 23 API calls 6412->6413 6414 cddae0 6413->6414 6414->6381 6415 cddf4c 20 API calls 6419 cdcb70 6415->6419 6419->6412 6419->6415 6422 cde654 13 API calls 6419->6422 6425 cdc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6419->6425 6426 cdf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6419->6426 6429 cdea84 30 API calls 6419->6429 6430 cdd569 closesocket Sleep 6419->6430 6431 cdd815 wsprintfA 6419->6431 6432 cdcc1c GetTempPathA 6419->6432 6433 cdc517 23 API calls 6419->6433 6435 cd7ead 6 API calls 6419->6435 6436 cde8a1 30 API calls 6419->6436 6438 cdec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6419->6438 6439 cdcfe3 GetSystemDirectoryA 6419->6439 6440 cdcfad GetEnvironmentVariableA 6419->6440 6441 cd675c 21 API calls 6419->6441 6442 cdd027 GetSystemDirectoryA 6419->6442 6443 cdd105 lstrcatA 6419->6443 6444 cdef1e lstrlenA 6419->6444 6445 cdcc9f CreateFileA 6419->6445 6447 cd8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6419->6447 6448 cdd15b CreateFileA 6419->6448 6453 cdd149 SetFileAttributesA 6419->6453 6454 cdd36e GetEnvironmentVariableA 6419->6454 6455 cdd1bf SetFileAttributesA 6419->6455 6457 cdd22d GetEnvironmentVariableA 6419->6457 6458 cdd3af lstrcatA 6419->6458 6460 cdd3f2 CreateFileA 6419->6460 6462 cd7fcf 64 API calls 6419->6462 6468 cdd3e0 SetFileAttributesA 6419->6468 6469 cdd26e lstrcatA 6419->6469 6471 cdd4b1 CreateProcessA 6419->6471 6472 cdd2b1 CreateFileA 6419->6472 6474 cdd452 SetFileAttributesA 6419->6474 6476 cd7ee6 64 API calls 6419->6476 6478 cdd29f SetFileAttributesA 6419->6478 6480 cdd31d SetFileAttributesA 6419->6480 7005 cdc75d 6419->7005 7017 cd7e2f 6419->7017 7039 cd7ead 6419->7039 7049 cd31d0 6419->7049 7066 cd3c09 6419->7066 7076 cd3a00 6419->7076 7080 cde7b4 6419->7080 7083 cdc06c 6419->7083 7089 cd6f5f GetUserNameA 6419->7089 7100 cde854 6419->7100 7110 cd7dd6 6419->7110 6422->6419 6425->6419 6426->6419 6429->6419 7044 cde318 6430->7044 6431->6419 6432->6419 6433->6419 6435->6419 6436->6419 6437 cdd582 ExitProcess 6438->6419 6439->6419 6440->6419 6441->6419 6442->6419 6443->6419 6444->6419 6445->6419 6446 cdccc6 WriteFile 6445->6446 6449 cdcced CloseHandle 6446->6449 6450 cdcdcc CloseHandle 6446->6450 6447->6419 6448->6419 6451 cdd182 WriteFile CloseHandle 6448->6451 6456 cdcd2f 6449->6456 6450->6419 6451->6419 6452 cdcd16 wsprintfA 6452->6456 6453->6448 6454->6419 6455->6419 6456->6452 7026 cd7fcf 6456->7026 6457->6419 6458->6419 6458->6460 6460->6419 6463 cdd415 WriteFile CloseHandle 6460->6463 6462->6419 6463->6419 6464 cdcda5 6467 cd7ee6 64 API calls 6464->6467 6465 cdcd81 WaitForSingleObject CloseHandle CloseHandle 6466 cdf04e 4 API calls 6465->6466 6466->6464 6470 cdcdbd DeleteFileA 6467->6470 6468->6460 6469->6419 6469->6472 6470->6419 6471->6419 6473 cdd4e8 CloseHandle CloseHandle 6471->6473 6472->6419 6475 cdd2d8 WriteFile CloseHandle 6472->6475 6473->6419 6474->6419 6475->6419 6476->6419 6478->6472 6480->6419 6482 cd677a SetFileAttributesA 6481->6482 6483 cd6784 CreateFileA 6481->6483 6482->6483 6484 cd67b5 6483->6484 6485 cd67a4 CreateFileA 6483->6485 6486 cd67ba SetFileAttributesA 6484->6486 6487 cd67c5 6484->6487 6485->6484 6486->6487 6488 cd67cf GetFileSize 6487->6488 6489 cd6977 6487->6489 6490 cd67e5 6488->6490 6508 cd6965 6488->6508 6489->6178 6509 cd6a60 CreateFileA 6489->6509 6491 cd67ed ReadFile 6490->6491 6490->6508 6493 cd6811 SetFilePointer 6491->6493 6491->6508 6492 cd696e FindCloseChangeNotification 6492->6489 6494 cd682a ReadFile 6493->6494 6493->6508 6495 cd6848 SetFilePointer 6494->6495 6494->6508 6496 cd6867 6495->6496 6495->6508 6497 cd6878 ReadFile 6496->6497 6499 cd68d5 6496->6499 6498 cd68d0 6497->6498 6502 cd6891 6497->6502 6498->6499 6499->6492 6500 cdebcc 4 API calls 6499->6500 6501 cd68f8 6500->6501 6503 cd6900 SetFilePointer 6501->6503 6501->6508 6502->6497 6502->6498 6504 cd690d ReadFile 6503->6504 6505 cd695a 6503->6505 6504->6505 6506 cd6922 6504->6506 6507 cdec2e codecvt 4 API calls 6505->6507 6506->6492 6507->6508 6508->6492 6510 cd6b8c GetLastError 6509->6510 6511 cd6a8f GetDiskFreeSpaceA 6509->6511 6520 cd6b86 6510->6520 6512 cd6ac5 6511->6512 6521 cd6ad7 6511->6521 7195 cdeb0e 6512->7195 6516 cd6b56 CloseHandle 6519 cd6b65 GetLastError CloseHandle 6516->6519 6516->6520 6517 cd6b36 GetLastError CloseHandle 6518 cd6b7f DeleteFileA 6517->6518 6518->6520 6519->6518 6520->6192 7199 cd6987 6521->7199 6523 cd96b9 6522->6523 6524 cd73ff 17 API calls 6523->6524 6525 cd96e2 6524->6525 6526 cd704c 16 API calls 6525->6526 6527 cd96f7 6525->6527 6526->6527 6527->6170 6527->6171 6529 cd429d 6528->6529 6530 cd42a5 6528->6530 6529->6174 6529->6188 7205 cd3ecd 6530->7205 6532 cd42b0 7209 cd4000 6532->7209 6534 cd42b6 6534->6529 6535 cd43c1 CloseHandle 6534->6535 7215 cd3f18 WriteFile 6534->7215 6535->6529 6540 cd43ba CloseHandle 6540->6535 6541 cd4318 6542 cd3f18 4 API calls 6541->6542 6543 cd4331 6542->6543 6544 cd3f18 4 API calls 6543->6544 6545 cd434a 6544->6545 6546 cdebcc 4 API calls 6545->6546 6547 cd4350 6546->6547 6548 cd3f18 4 API calls 6547->6548 6549 cd4389 6548->6549 6550 cdec2e codecvt 4 API calls 6549->6550 6551 cd438f 6550->6551 6552 cd3f8c 4 API calls 6551->6552 6553 cd439f CloseHandle CloseHandle 6552->6553 6553->6529 6555 cd99eb 6554->6555 6556 cd9a2f lstrcatA 6555->6556 6557 cdee2a 6556->6557 6558 cd9a4b lstrcatA 6557->6558 6559 cd6a60 13 API calls 6558->6559 6560 cd9a60 6559->6560 6560->6197 6560->6228 6561 cd6dc2 6560->6561 6562 cd6dd7 6561->6562 6563 cd6e33 6561->6563 6564 cd6cc9 5 API calls 6562->6564 6563->6215 6565 cd6ddc 6564->6565 6565->6565 6566 cd6e24 6565->6566 6567 cd6e02 GetVolumeInformationA 6565->6567 6566->6563 6567->6566 6569 cd6cdc GetModuleHandleA GetProcAddress 6568->6569 6576 cd6d8b 6568->6576 6570 cd6cfd 6569->6570 6571 cd6d12 GetSystemDirectoryA 6569->6571 6570->6571 6570->6576 6572 cd6d1e 6571->6572 6573 cd6d27 GetWindowsDirectoryA 6571->6573 6572->6573 6572->6576 6575 cd6d42 6573->6575 6574 cdef1e lstrlenA 6574->6576 6575->6574 6576->6224 7223 cd1910 6577->7223 6580 cd934a GetModuleHandleA GetModuleFileNameA 6582 cd937f 6580->6582 6583 cd93d9 6582->6583 6584 cd93a4 6582->6584 6586 cd9401 wsprintfA 6583->6586 6585 cd93c3 wsprintfA 6584->6585 6587 cd9415 6585->6587 6586->6587 6588 cd94a0 6587->6588 6590 cd6cc9 5 API calls 6587->6590 6589 cd6edd 5 API calls 6588->6589 6591 cd94ac 6589->6591 6597 cd9439 6590->6597 6592 cd962f 6591->6592 6593 cd94e8 RegOpenKeyExA 6591->6593 6598 cd9646 6592->6598 7238 cd1820 6592->7238 6595 cd94fb 6593->6595 6596 cd9502 6593->6596 6595->6592 6602 cd958a 6595->6602 6600 cd951f RegQueryValueExA 6596->6600 6601 cdef1e lstrlenA 6597->6601 6607 cd95d6 6598->6607 7244 cd91eb 6598->7244 6603 cd9539 6600->6603 6604 cd9530 6600->6604 6605 cd9462 6601->6605 6602->6598 6606 cd9593 6602->6606 6609 cd9556 RegQueryValueExA 6603->6609 6608 cd956e RegCloseKey 6604->6608 6610 cd947e wsprintfA 6605->6610 6606->6607 7225 cdf0e4 6606->7225 6607->6234 6607->6235 6608->6595 6609->6604 6609->6608 6610->6588 6612 cd95bb 6612->6607 7232 cd18e0 6612->7232 6615 cd2544 6614->6615 6616 cd972d RegOpenKeyExA 6615->6616 6617 cd9765 6616->6617 6618 cd9740 6616->6618 6617->6210 6619 cd974f RegDeleteValueA RegCloseKey 6618->6619 6619->6617 6621 cd2554 lstrcatA 6620->6621 6622 cdee2a 6621->6622 6623 cda0ec lstrcatA 6622->6623 6623->6242 6625 cda15d 6624->6625 6626 cdec37 6624->6626 6625->6174 6625->6178 6627 cdeba0 codecvt 2 API calls 6626->6627 6628 cdec3d GetProcessHeap RtlFreeHeap 6627->6628 6628->6625 6630 cd2544 6629->6630 6631 cd919e wsprintfA 6630->6631 6632 cd91bb 6631->6632 7282 cd9064 GetTempPathA 6632->7282 6635 cd91d5 ShellExecuteA 6636 cd91e7 6635->6636 6636->6192 6638 cd6ed5 6637->6638 6639 cd6ecc 6637->6639 6638->6229 6640 cd6e36 2 API calls 6639->6640 6640->6638 6642 cd98f6 6641->6642 6643 cd4280 30 API calls 6642->6643 6644 cd9904 Sleep 6642->6644 6645 cd9915 6642->6645 6643->6642 6644->6642 6644->6645 6647 cd9947 6645->6647 7289 cd977c 6645->7289 6647->6225 6649 cddd41 InterlockedExchange 6648->6649 6650 cddd4a 6649->6650 6651 cddd20 GetCurrentThreadId 6649->6651 6653 cddd53 GetCurrentThreadId 6650->6653 6652 cddd2e GetTickCount 6651->6652 6651->6653 6654 cddd4c 6652->6654 6655 cddd39 Sleep 6652->6655 6653->6261 6654->6653 6655->6649 6657 cddbf0 6656->6657 6689 cddb67 GetEnvironmentVariableA 6657->6689 6659 cddc19 6660 cddcda 6659->6660 6661 cddb67 3 API calls 6659->6661 6660->6263 6662 cddc5c 6661->6662 6662->6660 6663 cddb67 3 API calls 6662->6663 6664 cddc9b 6663->6664 6664->6660 6665 cddb67 3 API calls 6664->6665 6665->6660 6667 cde528 6666->6667 6668 cde3f4 6666->6668 6667->6276 6669 cde434 RegQueryValueExA 6668->6669 6670 cde51d RegCloseKey 6669->6670 6671 cde458 6669->6671 6670->6667 6672 cde46e RegQueryValueExA 6671->6672 6672->6671 6673 cde488 6672->6673 6673->6670 6674 cddb2e 8 API calls 6673->6674 6675 cde499 6674->6675 6675->6670 6676 cde4b9 RegQueryValueExA 6675->6676 6677 cde4e8 6675->6677 6676->6675 6676->6677 6677->6670 6678 cde332 14 API calls 6677->6678 6679 cde513 6678->6679 6679->6670 6681 cddb3a 6680->6681 6682 cddb55 6680->6682 6693 cdebed 6681->6693 6682->6266 6682->6270 6711 cdf04e SystemTimeToFileTime GetSystemTimeAsFileTime 6684->6711 6686 cde3be 6686->6266 6687 cde342 6687->6686 6714 cdde24 6687->6714 6690 cddb89 lstrcpyA CreateFileA 6689->6690 6691 cddbca 6689->6691 6690->6659 6691->6659 6694 cdebf6 6693->6694 6695 cdec01 6693->6695 6702 cdebcc GetProcessHeap RtlAllocateHeap 6694->6702 6705 cdeba0 6695->6705 6703 cdeb74 2 API calls 6702->6703 6704 cdebe8 6703->6704 6704->6682 6706 cdebbf GetProcessHeap RtlReAllocateHeap 6705->6706 6707 cdeba7 GetProcessHeap HeapSize 6705->6707 6708 cdeb74 6706->6708 6707->6706 6709 cdeb93 6708->6709 6710 cdeb7b GetProcessHeap HeapSize 6708->6710 6709->6682 6710->6709 6725 cdeb41 6711->6725 6713 cdf0b7 6713->6687 6715 cdde3a 6714->6715 6721 cdde4e 6715->6721 6734 cddd84 6715->6734 6718 cdde9e 6720 cdebed 8 API calls 6718->6720 6718->6721 6719 cdde76 6738 cdddcf 6719->6738 6723 cddef6 6720->6723 6721->6687 6723->6721 6724 cdddcf lstrcmpA 6723->6724 6724->6721 6726 cdeb4a 6725->6726 6729 cdeb61 6725->6729 6730 cdeae4 6726->6730 6728 cdeb54 6728->6713 6728->6729 6729->6713 6731 cdeaed LoadLibraryA 6730->6731 6732 cdeb02 GetProcAddress 6730->6732 6731->6732 6733 cdeb01 6731->6733 6732->6728 6733->6728 6735 cdddc5 6734->6735 6736 cddd96 6734->6736 6735->6718 6735->6719 6736->6735 6737 cdddad lstrcmpiA 6736->6737 6737->6735 6737->6736 6739 cdde20 6738->6739 6740 cddddd 6738->6740 6739->6721 6740->6739 6741 cdddfa lstrcmpA 6740->6741 6741->6740 6743 cddd05 6 API calls 6742->6743 6744 cde821 6743->6744 6745 cddd84 lstrcmpiA 6744->6745 6747 cde82c 6745->6747 6746 cde844 6746->6290 6747->6746 6792 cd2480 6747->6792 6750 cdea98 6749->6750 6801 cde8a1 6750->6801 6752 cd1e84 6752->6298 6754 cd19ce 6753->6754 6755 cd19d5 GetProcAddress GetProcAddress GetProcAddress 6753->6755 6754->6303 6756 cd1a04 6755->6756 6757 cd1ab3 FreeLibrary 6755->6757 6756->6757 6758 cd1a14 GetBestInterface GetProcessHeap 6756->6758 6757->6754 6758->6754 6759 cd1a2e HeapAlloc 6758->6759 6759->6754 6760 cd1a42 GetAdaptersInfo 6759->6760 6761 cd1a62 6760->6761 6762 cd1a52 HeapReAlloc 6760->6762 6763 cd1a69 GetAdaptersInfo 6761->6763 6764 cd1aa1 FreeLibrary 6761->6764 6762->6761 6763->6764 6765 cd1a75 HeapFree 6763->6765 6764->6754 6765->6764 6829 cd1ac3 LoadLibraryA 6767->6829 6770 cd1bcf 6770->6314 6772 cd1ac3 13 API calls 6771->6772 6773 cd1c09 6772->6773 6774 cd1c0d GetComputerNameA 6773->6774 6775 cd1c5a 6773->6775 6776 cd1c1f 6774->6776 6777 cd1c45 GetVolumeInformationA 6774->6777 6775->6322 6776->6777 6778 cd1c41 6776->6778 6777->6775 6778->6775 6780 cdee2a 6779->6780 6781 cd30d0 gethostname gethostbyname 6780->6781 6782 cd1f82 6781->6782 6782->6328 6782->6329 6784 cddd05 6 API calls 6783->6784 6785 cddf7c 6784->6785 6786 cddd84 lstrcmpiA 6785->6786 6787 cddf89 6786->6787 6788 cdddcf lstrcmpA 6787->6788 6789 cdec2e codecvt 4 API calls 6787->6789 6790 cddd84 lstrcmpiA 6787->6790 6791 cddfc4 6787->6791 6788->6787 6789->6787 6790->6787 6791->6297 6795 cd2419 lstrlenA 6792->6795 6794 cd2491 6794->6746 6796 cd243d lstrlenA 6795->6796 6797 cd2474 6795->6797 6798 cd244e lstrcmpiA 6796->6798 6799 cd2464 lstrlenA 6796->6799 6797->6794 6798->6799 6800 cd245c 6798->6800 6799->6796 6799->6797 6800->6797 6800->6799 6802 cddd05 6 API calls 6801->6802 6803 cde8b4 6802->6803 6804 cddd84 lstrcmpiA 6803->6804 6805 cde8c0 6804->6805 6806 cde8c8 lstrcpynA 6805->6806 6816 cde90a 6805->6816 6807 cde8f5 6806->6807 6822 cddf4c 6807->6822 6808 cd2419 4 API calls 6809 cde926 lstrlenA lstrlenA 6808->6809 6810 cde94c lstrlenA 6809->6810 6811 cde96a 6809->6811 6810->6811 6815 cdebcc 4 API calls 6811->6815 6817 cdea27 6811->6817 6813 cde901 6814 cddd84 lstrcmpiA 6813->6814 6814->6816 6818 cde98f 6815->6818 6816->6808 6816->6817 6817->6752 6818->6817 6819 cddf4c 20 API calls 6818->6819 6820 cdea1e 6819->6820 6821 cdec2e codecvt 4 API calls 6820->6821 6821->6817 6823 cddd05 6 API calls 6822->6823 6824 cddf51 6823->6824 6825 cdf04e 4 API calls 6824->6825 6826 cddf58 6825->6826 6827 cdde24 10 API calls 6826->6827 6828 cddf63 6827->6828 6828->6813 6830 cd1b68 GetComputerNameA GetVolumeInformationA 6829->6830 6831 cd1ae2 GetProcAddress 6829->6831 6830->6770 6831->6830 6836 cd1af5 6831->6836 6832 cd1b1c GetAdaptersAddresses 6834 cd1b29 6832->6834 6832->6836 6833 cdebed 8 API calls 6833->6836 6834->6830 6835 cdec2e codecvt 4 API calls 6834->6835 6835->6830 6836->6832 6836->6833 6836->6834 6838 cd6ec3 2 API calls 6837->6838 6839 cd7ef4 6838->6839 6849 cd7fc9 6839->6849 6873 cd73ff 6839->6873 6841 cd7f16 6841->6849 6893 cd7809 GetUserNameA 6841->6893 6843 cd7f63 6843->6849 6917 cdef1e lstrlenA 6843->6917 6846 cdef1e lstrlenA 6847 cd7fb7 6846->6847 6919 cd7a95 RegOpenKeyExA 6847->6919 6849->6338 6851 cd7073 6850->6851 6852 cd70b9 RegOpenKeyExA 6851->6852 6853 cd70d0 6852->6853 6867 cd71b8 6852->6867 6854 cd6dc2 6 API calls 6853->6854 6857 cd70d5 6854->6857 6855 cd719b RegEnumValueA 6856 cd71af RegCloseKey 6855->6856 6855->6857 6856->6867 6857->6855 6859 cd71d0 6857->6859 6950 cdf1a5 lstrlenA 6857->6950 6860 cd7205 RegCloseKey 6859->6860 6861 cd7227 6859->6861 6860->6867 6862 cd728e RegCloseKey 6861->6862 6863 cd72b8 ___ascii_stricmp 6861->6863 6862->6867 6864 cd72cd RegCloseKey 6863->6864 6865 cd72dd 6863->6865 6864->6867 6866 cd7311 RegCloseKey 6865->6866 6868 cd7335 6865->6868 6866->6867 6867->6339 6869 cd73d5 RegCloseKey 6868->6869 6871 cd737e GetFileAttributesExA 6868->6871 6872 cd7397 6868->6872 6870 cd73e4 6869->6870 6871->6872 6872->6869 6874 cd741b 6873->6874 6875 cd6dc2 6 API calls 6874->6875 6876 cd743f 6875->6876 6877 cd7469 RegOpenKeyExA 6876->6877 6878 cd77f9 6877->6878 6888 cd7487 ___ascii_stricmp 6877->6888 6878->6841 6879 cd7703 RegEnumKeyA 6880 cd7714 RegCloseKey 6879->6880 6879->6888 6880->6878 6881 cd74d2 RegOpenKeyExA 6881->6888 6882 cd772c 6884 cd774b 6882->6884 6885 cd7742 RegCloseKey 6882->6885 6883 cd7521 RegQueryValueExA 6883->6888 6886 cd77ec RegCloseKey 6884->6886 6885->6884 6886->6878 6887 cd76e4 RegCloseKey 6887->6888 6888->6879 6888->6881 6888->6882 6888->6883 6888->6887 6890 cdf1a5 lstrlenA 6888->6890 6891 cd777e GetFileAttributesExA 6888->6891 6892 cd7769 6888->6892 6889 cd77e3 RegCloseKey 6889->6886 6890->6888 6891->6892 6892->6889 6894 cd783d LookupAccountNameA 6893->6894 6895 cd7a8d 6893->6895 6894->6895 6896 cd7874 GetLengthSid GetFileSecurityA 6894->6896 6895->6843 6896->6895 6897 cd78a8 GetSecurityDescriptorOwner 6896->6897 6898 cd791d GetSecurityDescriptorDacl 6897->6898 6899 cd78c5 EqualSid 6897->6899 6898->6895 6901 cd7941 6898->6901 6899->6898 6900 cd78dc LocalAlloc 6899->6900 6900->6898 6902 cd78ef InitializeSecurityDescriptor 6900->6902 6901->6895 6905 cd795b GetAce 6901->6905 6907 cd7980 EqualSid 6901->6907 6908 cd7a3d 6901->6908 6909 cd79be EqualSid 6901->6909 6910 cd799d DeleteAce 6901->6910 6903 cd78fb SetSecurityDescriptorOwner 6902->6903 6904 cd7916 LocalFree 6902->6904 6903->6904 6906 cd790b SetFileSecurityA 6903->6906 6904->6898 6905->6901 6906->6904 6907->6901 6908->6895 6911 cd7a43 LocalAlloc 6908->6911 6909->6901 6910->6901 6911->6895 6912 cd7a56 InitializeSecurityDescriptor 6911->6912 6913 cd7a86 LocalFree 6912->6913 6914 cd7a62 SetSecurityDescriptorDacl 6912->6914 6913->6895 6914->6913 6915 cd7a73 SetFileSecurityA 6914->6915 6915->6913 6916 cd7a83 6915->6916 6916->6913 6918 cd7fa6 6917->6918 6918->6846 6920 cd7acb GetUserNameA 6919->6920 6921 cd7ac4 6919->6921 6922 cd7aed LookupAccountNameA 6920->6922 6923 cd7da7 RegCloseKey 6920->6923 6921->6849 6922->6923 6924 cd7b24 RegGetKeySecurity 6922->6924 6923->6921 6924->6923 6925 cd7b49 GetSecurityDescriptorOwner 6924->6925 6926 cd7bb8 GetSecurityDescriptorDacl 6925->6926 6927 cd7b63 EqualSid 6925->6927 6928 cd7da6 6926->6928 6940 cd7bdc 6926->6940 6927->6926 6929 cd7b74 LocalAlloc 6927->6929 6928->6923 6929->6926 6930 cd7b8a InitializeSecurityDescriptor 6929->6930 6932 cd7b96 SetSecurityDescriptorOwner 6930->6932 6933 cd7bb1 LocalFree 6930->6933 6931 cd7bf8 GetAce 6931->6940 6932->6933 6934 cd7ba6 RegSetKeySecurity 6932->6934 6933->6926 6934->6933 6935 cd7c1d EqualSid 6935->6940 6936 cd7cd9 6936->6928 6939 cd7d5a LocalAlloc 6936->6939 6941 cd7cf2 RegOpenKeyExA 6936->6941 6937 cd7c5f EqualSid 6937->6940 6938 cd7c3a DeleteAce 6938->6940 6939->6928 6942 cd7d70 InitializeSecurityDescriptor 6939->6942 6940->6928 6940->6931 6940->6935 6940->6936 6940->6937 6940->6938 6941->6939 6947 cd7d0f 6941->6947 6943 cd7d7c SetSecurityDescriptorDacl 6942->6943 6944 cd7d9f LocalFree 6942->6944 6943->6944 6945 cd7d8c RegSetKeySecurity 6943->6945 6944->6928 6945->6944 6946 cd7d9c 6945->6946 6946->6944 6948 cd7d43 RegSetValueExA 6947->6948 6948->6939 6949 cd7d54 6948->6949 6949->6939 6951 cdf1c3 6950->6951 6951->6857 6952->6358 6954 cddd05 6 API calls 6953->6954 6957 cde65f 6954->6957 6955 cde6a5 6956 cdebcc 4 API calls 6955->6956 6959 cde6f5 6955->6959 6960 cde6b0 6956->6960 6957->6955 6958 cde68c lstrcmpA 6957->6958 6958->6957 6961 cde71d lstrcmpA 6959->6961 6962 cde6b7 6959->6962 6960->6959 6960->6962 6963 cde6e0 lstrcpynA 6960->6963 6961->6959 6962->6360 6963->6959 6964->6366 6966 cd268e 6965->6966 6967 cd2692 inet_addr 6965->6967 6969 cdf428 6966->6969 6967->6966 6968 cd269e gethostbyname 6967->6968 6968->6966 7117 cdf315 6969->7117 6972 cdf43e 6973 cdf473 recv 6972->6973 6974 cdf47c 6973->6974 6975 cdf458 6973->6975 6974->6397 6975->6973 6975->6974 6977 cdc532 6976->6977 6978 cdc525 6976->6978 6979 cdc548 6977->6979 7130 cde7ff 6977->7130 6978->6977 6980 cdec2e codecvt 4 API calls 6978->6980 6982 cde7ff lstrcmpiA 6979->6982 6989 cdc54f 6979->6989 6980->6977 6983 cdc615 6982->6983 6984 cdebcc 4 API calls 6983->6984 6983->6989 6984->6989 6986 cdc5d1 6987 cdebcc 4 API calls 6986->6987 6987->6989 6988 cde819 11 API calls 6990 cdc5b7 6988->6990 6989->6379 6991 cdf04e 4 API calls 6990->6991 6992 cdc5bf 6991->6992 6992->6979 6992->6986 6994 cdc8d2 6993->6994 6995 cdc907 6994->6995 6996 cdc517 23 API calls 6994->6996 6995->6381 6996->6995 6998 cdc670 6997->6998 6999 cdc67d 6997->6999 7000 cdebcc 4 API calls 6998->7000 7001 cdebcc 4 API calls 6999->7001 7003 cdc699 6999->7003 7000->6999 7001->7003 7002 cdc6f3 7002->6410 7002->6419 7003->7002 7004 cdc73c send 7003->7004 7004->7002 7006 cdc770 7005->7006 7007 cdc77d 7005->7007 7008 cdebcc 4 API calls 7006->7008 7009 cdebcc 4 API calls 7007->7009 7010 cdc799 7007->7010 7008->7007 7009->7010 7011 cdc7b5 7010->7011 7013 cdebcc 4 API calls 7010->7013 7012 cdf43e recv 7011->7012 7014 cdc7cb 7012->7014 7013->7011 7015 cdf43e recv 7014->7015 7016 cdc7d3 7014->7016 7015->7016 7016->6419 7133 cd7db7 7017->7133 7020 cd7e70 7021 cd7e96 7020->7021 7024 cdf04e 4 API calls 7020->7024 7021->6419 7022 cdf04e 4 API calls 7023 cd7e4c 7022->7023 7023->7020 7025 cdf04e 4 API calls 7023->7025 7024->7021 7025->7020 7027 cd6ec3 2 API calls 7026->7027 7028 cd7fdd 7027->7028 7029 cd80c2 CreateProcessA 7028->7029 7030 cd73ff 17 API calls 7028->7030 7029->6464 7029->6465 7031 cd7fff 7030->7031 7031->7029 7032 cd7809 21 API calls 7031->7032 7033 cd804d 7032->7033 7033->7029 7034 cdef1e lstrlenA 7033->7034 7035 cd809e 7034->7035 7036 cdef1e lstrlenA 7035->7036 7037 cd80af 7036->7037 7038 cd7a95 24 API calls 7037->7038 7038->7029 7040 cd7db7 2 API calls 7039->7040 7041 cd7eb8 7040->7041 7042 cdf04e 4 API calls 7041->7042 7043 cd7ece DeleteFileA 7042->7043 7043->6419 7045 cddd05 6 API calls 7044->7045 7046 cde31d 7045->7046 7137 cde177 7046->7137 7048 cde326 7048->6437 7050 cd31f3 7049->7050 7060 cd31ec 7049->7060 7051 cdebcc 4 API calls 7050->7051 7065 cd31fc 7051->7065 7052 cd344b 7053 cd349d 7052->7053 7054 cd3459 7052->7054 7056 cdec2e codecvt 4 API calls 7053->7056 7055 cdf04e 4 API calls 7054->7055 7057 cd345f 7055->7057 7056->7060 7058 cd30fa 4 API calls 7057->7058 7058->7060 7059 cdebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7059->7065 7060->6419 7061 cd344d 7062 cdec2e codecvt 4 API calls 7061->7062 7062->7052 7064 cd3141 lstrcmpiA 7064->7065 7065->7052 7065->7059 7065->7060 7065->7061 7065->7064 7163 cd30fa GetTickCount 7065->7163 7067 cd30fa 4 API calls 7066->7067 7068 cd3c1a 7067->7068 7069 cd3ce6 7068->7069 7168 cd3a72 7068->7168 7069->6419 7072 cd3a72 9 API calls 7073 cd3c5e 7072->7073 7073->7069 7074 cd3a72 9 API calls 7073->7074 7075 cdec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7073->7075 7074->7073 7075->7073 7077 cd3a10 7076->7077 7078 cd30fa 4 API calls 7077->7078 7079 cd3a1a 7078->7079 7079->6419 7081 cddd05 6 API calls 7080->7081 7082 cde7be 7081->7082 7082->6419 7084 cdc07e wsprintfA 7083->7084 7085 cdc105 7083->7085 7177 cdbfce GetTickCount wsprintfA 7084->7177 7085->6419 7087 cdc0ef 7178 cdbfce GetTickCount wsprintfA 7087->7178 7090 cd6f88 LookupAccountNameA 7089->7090 7091 cd7047 7089->7091 7093 cd6fcb 7090->7093 7094 cd7025 7090->7094 7091->6419 7096 cd6fdb ConvertSidToStringSidA 7093->7096 7179 cd6edd 7094->7179 7096->7094 7098 cd6ff1 7096->7098 7098->7098 7099 cd7013 LocalFree 7098->7099 7099->7094 7101 cddd05 6 API calls 7100->7101 7102 cde85c 7101->7102 7103 cddd84 lstrcmpiA 7102->7103 7104 cde867 7103->7104 7105 cde885 lstrcpyA 7104->7105 7190 cd24a5 7104->7190 7193 cddd69 7105->7193 7111 cd7db7 2 API calls 7110->7111 7112 cd7de1 7111->7112 7113 cdf04e 4 API calls 7112->7113 7116 cd7e16 7112->7116 7114 cd7df2 7113->7114 7115 cdf04e 4 API calls 7114->7115 7114->7116 7115->7116 7116->6419 7118 cdf33b 7117->7118 7119 cdca1d 7117->7119 7120 cdf347 htons socket 7118->7120 7119->6394 7119->6972 7121 cdf374 closesocket 7120->7121 7122 cdf382 ioctlsocket 7120->7122 7121->7119 7123 cdf39d 7122->7123 7124 cdf3aa connect select 7122->7124 7125 cdf39f closesocket 7123->7125 7124->7119 7126 cdf3f2 __WSAFDIsSet 7124->7126 7125->7119 7126->7125 7127 cdf403 ioctlsocket 7126->7127 7129 cdf26d setsockopt setsockopt setsockopt setsockopt setsockopt 7127->7129 7129->7119 7131 cddd84 lstrcmpiA 7130->7131 7132 cdc58e 7131->7132 7132->6979 7132->6986 7132->6988 7134 cd7dc8 InterlockedExchange 7133->7134 7135 cd7dd4 7134->7135 7136 cd7dc0 Sleep 7134->7136 7135->7020 7135->7022 7136->7134 7139 cde184 7137->7139 7138 cde2e4 7138->7048 7139->7138 7140 cde223 7139->7140 7153 cddfe2 7139->7153 7140->7138 7142 cddfe2 8 API calls 7140->7142 7146 cde23c 7142->7146 7143 cde1be 7143->7140 7144 cddbcf 3 API calls 7143->7144 7147 cde1d6 7144->7147 7145 cde21a CloseHandle 7145->7140 7146->7138 7157 cde095 RegCreateKeyExA 7146->7157 7147->7140 7147->7145 7148 cde1f9 WriteFile 7147->7148 7148->7145 7149 cde213 7148->7149 7149->7145 7151 cde2a3 7151->7138 7152 cde095 4 API calls 7151->7152 7152->7138 7154 cddffc 7153->7154 7156 cde024 7153->7156 7155 cddb2e 8 API calls 7154->7155 7154->7156 7155->7156 7156->7143 7158 cde172 7157->7158 7160 cde0c0 7157->7160 7158->7151 7159 cde14e RegDeleteValueA RegCloseKey 7159->7158 7161 cde115 RegSetValueExA 7160->7161 7162 cde13d 7160->7162 7161->7160 7161->7162 7162->7159 7164 cd3122 InterlockedExchange 7163->7164 7165 cd310f GetTickCount 7164->7165 7166 cd312e 7164->7166 7165->7166 7167 cd311a Sleep 7165->7167 7166->7065 7167->7164 7169 cdf04e 4 API calls 7168->7169 7176 cd3a83 7169->7176 7170 cd3ac1 7170->7069 7170->7072 7171 cd3be6 7172 cdec2e codecvt 4 API calls 7171->7172 7172->7170 7173 cd3bc0 7173->7171 7175 cdec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7173->7175 7174 cd3b66 lstrlenA 7174->7170 7174->7176 7175->7173 7176->7170 7176->7173 7176->7174 7177->7087 7178->7085 7180 cd6f55 wsprintfA 7179->7180 7181 cd6eef AllocateAndInitializeSid 7179->7181 7180->7091 7182 cd6f1c CheckTokenMembership 7181->7182 7183 cd6f44 7181->7183 7184 cd6f2e 7182->7184 7185 cd6f3b FreeSid 7182->7185 7183->7180 7187 cd6e36 GetUserNameW 7183->7187 7184->7185 7185->7183 7188 cd6e5f LookupAccountNameW 7187->7188 7189 cd6e97 7187->7189 7188->7189 7189->7180 7191 cd2419 4 API calls 7190->7191 7192 cd24b6 7191->7192 7192->7105 7194 cddd79 lstrlenA 7193->7194 7194->6419 7196 cdeb21 7195->7196 7197 cdeb17 7195->7197 7196->6521 7198 cdeae4 2 API calls 7197->7198 7198->7196 7200 cd69b9 WriteFile 7199->7200 7202 cd6a3c 7200->7202 7204 cd69ff 7200->7204 7202->6516 7202->6517 7203 cd6a10 WriteFile 7203->7202 7203->7204 7204->7202 7204->7203 7206 cd3edc 7205->7206 7207 cd3ee2 7205->7207 7208 cd6dc2 6 API calls 7206->7208 7207->6532 7208->7207 7210 cd400b CreateFileA 7209->7210 7211 cd402c GetLastError 7210->7211 7213 cd4052 7210->7213 7212 cd4037 7211->7212 7211->7213 7212->7213 7214 cd4041 Sleep 7212->7214 7213->6534 7214->7210 7214->7213 7216 cd3f4e GetLastError 7215->7216 7218 cd3f7c 7215->7218 7217 cd3f5b WaitForSingleObject GetOverlappedResult 7216->7217 7216->7218 7217->7218 7219 cd3f8c ReadFile 7218->7219 7220 cd3ff0 7219->7220 7221 cd3fc2 GetLastError 7219->7221 7220->6540 7220->6541 7221->7220 7222 cd3fcf WaitForSingleObject GetOverlappedResult 7221->7222 7222->7220 7224 cd1924 GetVersionExA 7223->7224 7224->6580 7226 cdf0ed 7225->7226 7227 cdf0f1 7225->7227 7226->6612 7228 cdf119 7227->7228 7229 cdf0fa lstrlenA SysAllocStringByteLen 7227->7229 7230 cdf11c MultiByteToWideChar 7228->7230 7229->7230 7231 cdf117 7229->7231 7230->7231 7231->6612 7233 cd1820 17 API calls 7232->7233 7234 cd18f2 7233->7234 7235 cd18f9 7234->7235 7249 cd1280 7234->7249 7235->6607 7237 cd1908 7237->6607 7261 cd1000 7238->7261 7240 cd1839 7241 cd183d 7240->7241 7242 cd1851 GetCurrentProcess 7240->7242 7241->6598 7243 cd1864 7242->7243 7243->6598 7245 cd9308 7244->7245 7248 cd920e 7244->7248 7245->6607 7246 cd92f1 Sleep 7246->7248 7247 cd92bf ShellExecuteA 7247->7245 7247->7248 7248->7245 7248->7246 7248->7247 7250 cd12e1 7249->7250 7251 cd16f9 GetLastError 7250->7251 7259 cd13a8 7250->7259 7252 cd1699 7251->7252 7252->7237 7253 cd1570 lstrlenW 7253->7259 7254 cd15be GetStartupInfoW 7254->7259 7255 cd15ff CreateProcessWithLogonW 7256 cd16bf GetLastError 7255->7256 7257 cd163f WaitForSingleObject 7255->7257 7256->7252 7258 cd1659 CloseHandle 7257->7258 7257->7259 7258->7259 7259->7252 7259->7253 7259->7254 7259->7255 7260 cd1668 CloseHandle 7259->7260 7260->7259 7262 cd100d LoadLibraryA 7261->7262 7263 cd1023 7261->7263 7262->7263 7264 cd1021 7262->7264 7265 cd10b5 GetProcAddress 7263->7265 7281 cd10ae 7263->7281 7264->7240 7266 cd127b 7265->7266 7267 cd10d1 GetProcAddress 7265->7267 7266->7240 7267->7266 7268 cd10f0 GetProcAddress 7267->7268 7268->7266 7269 cd1110 GetProcAddress 7268->7269 7269->7266 7270 cd1130 GetProcAddress 7269->7270 7270->7266 7271 cd114f GetProcAddress 7270->7271 7271->7266 7272 cd116f GetProcAddress 7271->7272 7272->7266 7273 cd118f GetProcAddress 7272->7273 7273->7266 7274 cd11ae GetProcAddress 7273->7274 7274->7266 7275 cd11ce GetProcAddress 7274->7275 7275->7266 7276 cd11ee GetProcAddress 7275->7276 7276->7266 7277 cd1209 GetProcAddress 7276->7277 7277->7266 7278 cd1225 GetProcAddress 7277->7278 7278->7266 7279 cd1241 GetProcAddress 7278->7279 7279->7266 7280 cd125c GetProcAddress 7279->7280 7280->7266 7281->7240 7283 cd908d 7282->7283 7284 cd90e2 wsprintfA 7283->7284 7285 cdee2a 7284->7285 7286 cd90fd CreateFileA 7285->7286 7287 cd913f 7286->7287 7288 cd911a lstrlenA WriteFile CloseHandle 7286->7288 7287->6635 7287->6636 7288->7287 7290 cdee2a 7289->7290 7291 cd9794 CreateProcessA 7290->7291 7292 cd97bb 7291->7292 7293 cd97c2 7291->7293 7292->6647 7294 cd97d4 GetThreadContext 7293->7294 7295 cd97f5 7294->7295 7296 cd9801 7294->7296 7298 cd97f6 TerminateProcess 7295->7298 7303 cd637c 7296->7303 7298->7292 7299 cd9816 7299->7298 7300 cd981e WriteProcessMemory 7299->7300 7300->7295 7301 cd983b SetThreadContext 7300->7301 7301->7295 7302 cd9858 ResumeThread 7301->7302 7302->7292 7304 cd638a GetModuleHandleA VirtualAlloc 7303->7304 7305 cd6386 7303->7305 7306 cd63b6 7304->7306 7310 cd63f5 7304->7310 7305->7299 7307 cd63be VirtualAllocEx 7306->7307 7308 cd63d6 7307->7308 7307->7310 7309 cd63df WriteProcessMemory 7308->7309 7309->7310 7310->7299 7312 cd879f 7311->7312 7313 cd8791 7311->7313 7314 cd87bc 7312->7314 7316 cdf04e 4 API calls 7312->7316 7315 cdf04e 4 API calls 7313->7315 7317 cde819 11 API calls 7314->7317 7315->7312 7316->7314 7318 cd87d7 7317->7318 7327 cd8803 7318->7327 7466 cd26b2 gethostbyaddr 7318->7466 7321 cd87eb 7323 cde8a1 30 API calls 7321->7323 7321->7327 7323->7327 7326 cdf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7326->7327 7327->7326 7328 cde819 11 API calls 7327->7328 7329 cd88a0 Sleep 7327->7329 7331 cd26b2 2 API calls 7327->7331 7332 cde8a1 30 API calls 7327->7332 7363 cd8cee 7327->7363 7371 cdc4d6 7327->7371 7374 cdc4e2 7327->7374 7377 cd2011 7327->7377 7412 cd8328 7327->7412 7328->7327 7329->7327 7331->7327 7332->7327 7334 cd407d 7333->7334 7335 cd4084 7333->7335 7336 cd3ecd 6 API calls 7335->7336 7337 cd408f 7336->7337 7338 cd4000 3 API calls 7337->7338 7339 cd4095 7338->7339 7340 cd4130 7339->7340 7341 cd40c0 7339->7341 7342 cd3ecd 6 API calls 7340->7342 7346 cd3f18 4 API calls 7341->7346 7343 cd4159 CreateNamedPipeA 7342->7343 7344 cd4188 ConnectNamedPipe 7343->7344 7345 cd4167 Sleep 7343->7345 7349 cd4195 GetLastError 7344->7349 7359 cd41ab 7344->7359 7345->7340 7347 cd4176 CloseHandle 7345->7347 7348 cd40da 7346->7348 7347->7344 7350 cd3f8c 4 API calls 7348->7350 7351 cd425e DisconnectNamedPipe 7349->7351 7349->7359 7353 cd40ec 7350->7353 7351->7344 7352 cd3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7352->7359 7354 cd4127 CloseHandle 7353->7354 7356 cd4101 7353->7356 7354->7340 7355 cd3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7355->7359 7357 cd3f18 4 API calls 7356->7357 7358 cd411c ExitProcess 7357->7358 7359->7344 7359->7351 7359->7352 7359->7355 7360 cd426a CloseHandle CloseHandle 7359->7360 7361 cde318 23 API calls 7360->7361 7362 cd427b 7361->7362 7362->7362 7364 cd8dae 7363->7364 7365 cd8d02 GetTickCount 7363->7365 7364->7327 7365->7364 7368 cd8d19 7365->7368 7366 cd8da1 GetTickCount 7366->7364 7368->7366 7370 cd8d89 7368->7370 7471 cda677 7368->7471 7474 cda688 7368->7474 7370->7366 7482 cdc2dc 7371->7482 7375 cdc2dc 142 API calls 7374->7375 7376 cdc4ec 7375->7376 7376->7327 7378 cd202e 7377->7378 7379 cd2020 7377->7379 7381 cd204b 7378->7381 7382 cdf04e 4 API calls 7378->7382 7380 cdf04e 4 API calls 7379->7380 7380->7378 7383 cd206e GetTickCount 7381->7383 7384 cdf04e 4 API calls 7381->7384 7382->7381 7385 cd20db GetTickCount 7383->7385 7394 cd2090 7383->7394 7388 cd2068 7384->7388 7386 cd20e7 7385->7386 7387 cd2132 GetTickCount GetTickCount 7385->7387 7391 cd212b GetTickCount 7386->7391 7402 cd1978 15 API calls 7386->7402 7406 cd2125 7386->7406 7812 cd2ef8 7386->7812 7390 cdf04e 4 API calls 7387->7390 7388->7383 7389 cd20d4 GetTickCount 7389->7385 7392 cd2159 7390->7392 7391->7387 7397 cde854 13 API calls 7392->7397 7408 cd21b4 7392->7408 7393 cd2684 2 API calls 7393->7394 7394->7389 7394->7393 7403 cd20ce 7394->7403 7822 cd1978 7394->7822 7396 cdf04e 4 API calls 7399 cd21d1 7396->7399 7400 cd218e 7397->7400 7404 cdea84 30 API calls 7399->7404 7410 cd21f2 7399->7410 7401 cde819 11 API calls 7400->7401 7405 cd219c 7401->7405 7402->7386 7403->7389 7407 cd21ec 7404->7407 7405->7408 7827 cd1c5f 7405->7827 7406->7391 7409 cdf04e 4 API calls 7407->7409 7408->7396 7409->7410 7410->7327 7413 cd7dd6 6 API calls 7412->7413 7414 cd833c 7413->7414 7415 cd6ec3 2 API calls 7414->7415 7443 cd8340 7414->7443 7416 cd834f 7415->7416 7417 cd835c 7416->7417 7421 cd846b 7416->7421 7418 cd73ff 17 API calls 7417->7418 7440 cd8373 7418->7440 7419 cd85df 7422 cd8626 GetTempPathA 7419->7422 7433 cd8768 7419->7433 7444 cd8671 7419->7444 7420 cd675c 21 API calls 7420->7419 7423 cd84a7 RegOpenKeyExA 7421->7423 7436 cd8450 7421->7436 7434 cd8638 7422->7434 7425 cd84c0 RegQueryValueExA 7423->7425 7426 cd852f 7423->7426 7428 cd84dd 7425->7428 7429 cd8521 RegCloseKey 7425->7429 7431 cd8564 RegOpenKeyExA 7426->7431 7447 cd85a5 7426->7447 7427 cd86ad 7430 cd8762 7427->7430 7432 cd7e2f 6 API calls 7427->7432 7428->7429 7437 cdebcc 4 API calls 7428->7437 7429->7426 7430->7433 7435 cd8573 RegSetValueExA RegCloseKey 7431->7435 7431->7447 7448 cd86bb 7432->7448 7439 cdec2e codecvt 4 API calls 7433->7439 7433->7443 7434->7444 7435->7447 7436->7419 7436->7420 7442 cd84f0 7437->7442 7438 cd875b DeleteFileA 7438->7430 7439->7443 7440->7436 7440->7443 7445 cd83ea RegOpenKeyExA 7440->7445 7442->7429 7446 cd84f8 RegQueryValueExA 7442->7446 7443->7327 7899 cd6ba7 IsBadCodePtr 7444->7899 7445->7436 7449 cd83fd RegQueryValueExA 7445->7449 7446->7429 7450 cd8515 7446->7450 7447->7436 7451 cdec2e codecvt 4 API calls 7447->7451 7448->7438 7452 cd86e0 lstrcpyA lstrlenA 7448->7452 7453 cd842d RegSetValueExA 7449->7453 7454 cd841e 7449->7454 7455 cdec2e codecvt 4 API calls 7450->7455 7451->7436 7456 cd7fcf 64 API calls 7452->7456 7457 cd8447 RegCloseKey 7453->7457 7454->7453 7454->7457 7458 cd851d 7455->7458 7459 cd8719 CreateProcessA 7456->7459 7457->7436 7458->7429 7460 cd873d CloseHandle CloseHandle 7459->7460 7461 cd874f 7459->7461 7460->7433 7462 cd7ee6 64 API calls 7461->7462 7463 cd8754 7462->7463 7464 cd7ead 6 API calls 7463->7464 7465 cd875a 7464->7465 7465->7438 7467 cd26cd 7466->7467 7468 cd26fb 7466->7468 7469 cd26e1 inet_ntoa 7467->7469 7470 cd26de 7467->7470 7468->7321 7469->7470 7470->7321 7477 cda63d 7471->7477 7473 cda685 7473->7368 7475 cda63d GetTickCount 7474->7475 7476 cda696 7475->7476 7476->7368 7478 cda64d 7477->7478 7479 cda645 7477->7479 7480 cda65e GetTickCount 7478->7480 7481 cda66e 7478->7481 7479->7473 7480->7481 7481->7473 7499 cda4c7 GetTickCount 7482->7499 7485 cdc47a 7490 cdc4ab InterlockedIncrement CreateThread 7485->7490 7491 cdc4d2 7485->7491 7486 cdc326 7488 cdc337 7486->7488 7489 cdc32b GetTickCount 7486->7489 7487 cdc300 GetTickCount 7487->7488 7488->7485 7493 cdc363 GetTickCount 7488->7493 7489->7488 7490->7491 7492 cdc4cb CloseHandle 7490->7492 7504 cdb535 7490->7504 7491->7327 7492->7491 7493->7485 7494 cdc373 7493->7494 7495 cdc378 GetTickCount 7494->7495 7496 cdc37f 7494->7496 7495->7496 7497 cdc43b GetTickCount 7496->7497 7498 cdc45e 7497->7498 7498->7485 7500 cda4f7 InterlockedExchange 7499->7500 7501 cda4e4 GetTickCount 7500->7501 7502 cda500 7500->7502 7501->7502 7503 cda4ef Sleep 7501->7503 7502->7485 7502->7486 7502->7487 7503->7500 7505 cdb566 7504->7505 7506 cdebcc 4 API calls 7505->7506 7507 cdb587 7506->7507 7508 cdebcc 4 API calls 7507->7508 7559 cdb590 7508->7559 7509 cdbdcd InterlockedDecrement 7510 cdbde2 7509->7510 7512 cdec2e codecvt 4 API calls 7510->7512 7513 cdbdea 7512->7513 7515 cdec2e codecvt 4 API calls 7513->7515 7514 cdbdb7 Sleep 7514->7559 7516 cdbdf2 7515->7516 7518 cdbe05 7516->7518 7519 cdec2e codecvt 4 API calls 7516->7519 7517 cdbdcc 7517->7509 7519->7518 7520 cdebed 8 API calls 7520->7559 7523 cdb6b6 lstrlenA 7523->7559 7524 cd30b5 2 API calls 7524->7559 7525 cde819 11 API calls 7525->7559 7526 cdb6ed lstrcpyA 7579 cd5ce1 7526->7579 7529 cdb71f lstrcmpA 7530 cdb731 lstrlenA 7529->7530 7529->7559 7530->7559 7531 cdb772 GetTickCount 7531->7559 7532 cdbd49 InterlockedIncrement 7673 cda628 7532->7673 7535 cdb7ce InterlockedIncrement 7589 cdacd7 7535->7589 7536 cdbc5b InterlockedIncrement 7536->7559 7539 cdb912 GetTickCount 7539->7559 7540 cdb826 InterlockedIncrement 7540->7531 7541 cdbcdc closesocket 7541->7559 7542 cdb932 GetTickCount 7543 cdbc6d InterlockedIncrement 7542->7543 7542->7559 7543->7559 7544 cd38f0 6 API calls 7544->7559 7548 cdbba6 InterlockedIncrement 7548->7559 7549 cda7c1 22 API calls 7549->7559 7551 cdbc4c closesocket 7551->7559 7552 cd5ded 12 API calls 7552->7559 7554 cd5ce1 22 API calls 7554->7559 7555 cdba71 wsprintfA 7607 cda7c1 7555->7607 7557 cdab81 lstrcpynA InterlockedIncrement 7557->7559 7558 cdef1e lstrlenA 7558->7559 7559->7509 7559->7514 7559->7517 7559->7520 7559->7523 7559->7524 7559->7525 7559->7526 7559->7529 7559->7530 7559->7531 7559->7532 7559->7535 7559->7536 7559->7539 7559->7540 7559->7541 7559->7542 7559->7544 7559->7548 7559->7549 7559->7551 7559->7552 7559->7554 7559->7555 7559->7557 7559->7558 7560 cda688 GetTickCount 7559->7560 7561 cd3e10 7559->7561 7564 cd3e4f 7559->7564 7567 cd384f 7559->7567 7587 cda7a3 inet_ntoa 7559->7587 7594 cdabee 7559->7594 7606 cd1feb GetTickCount 7559->7606 7627 cd3cfb 7559->7627 7630 cdb3c5 7559->7630 7661 cdab81 7559->7661 7560->7559 7562 cd30fa 4 API calls 7561->7562 7563 cd3e1d 7562->7563 7563->7559 7565 cd30fa 4 API calls 7564->7565 7566 cd3e5c 7565->7566 7566->7559 7568 cd30fa 4 API calls 7567->7568 7569 cd3863 7568->7569 7570 cd38b9 7569->7570 7571 cd3889 7569->7571 7578 cd38b2 7569->7578 7682 cd35f9 7570->7682 7676 cd3718 7571->7676 7576 cd35f9 6 API calls 7576->7578 7577 cd3718 6 API calls 7577->7578 7578->7559 7580 cd5cec 7579->7580 7581 cd5cf4 7579->7581 7688 cd4bd1 GetTickCount 7580->7688 7583 cd4bd1 4 API calls 7581->7583 7584 cd5d02 7583->7584 7693 cd5472 7584->7693 7588 cda7b9 7587->7588 7588->7559 7590 cdf315 14 API calls 7589->7590 7591 cdaceb 7590->7591 7592 cdf315 14 API calls 7591->7592 7593 cdacff 7591->7593 7592->7593 7593->7559 7595 cdabfb 7594->7595 7599 cdac65 7595->7599 7756 cd2f22 7595->7756 7597 cdac23 7597->7599 7603 cd2684 2 API calls 7597->7603 7598 cdf315 14 API calls 7598->7599 7599->7598 7600 cdac6f 7599->7600 7605 cdac8a 7599->7605 7601 cdab81 2 API calls 7600->7601 7602 cdac81 7601->7602 7764 cd38f0 7602->7764 7603->7597 7605->7559 7606->7559 7608 cda87d lstrlenA send 7607->7608 7609 cda7df 7607->7609 7610 cda8bf 7608->7610 7611 cda899 7608->7611 7609->7608 7615 cda7fa wsprintfA 7609->7615 7618 cda80a 7609->7618 7619 cda8f2 7609->7619 7613 cda8c4 send 7610->7613 7610->7619 7612 cda8a5 wsprintfA 7611->7612 7626 cda89e 7611->7626 7612->7626 7616 cda8d8 wsprintfA 7613->7616 7613->7619 7614 cda978 recv 7614->7619 7620 cda982 7614->7620 7615->7618 7616->7626 7617 cda9b0 wsprintfA 7617->7626 7618->7608 7619->7614 7619->7617 7619->7620 7621 cd30b5 2 API calls 7620->7621 7620->7626 7622 cdab05 7621->7622 7623 cde819 11 API calls 7622->7623 7624 cdab17 7623->7624 7625 cda7a3 inet_ntoa 7624->7625 7625->7626 7626->7559 7628 cd30fa 4 API calls 7627->7628 7629 cd3d0b 7628->7629 7629->7559 7631 cd5ce1 22 API calls 7630->7631 7632 cdb3e6 7631->7632 7633 cd5ce1 22 API calls 7632->7633 7634 cdb404 7633->7634 7635 cdb440 7634->7635 7636 cdef7c 3 API calls 7634->7636 7637 cdef7c 3 API calls 7635->7637 7639 cdb42b 7636->7639 7638 cdb458 wsprintfA 7637->7638 7640 cdef7c 3 API calls 7638->7640 7641 cdef7c 3 API calls 7639->7641 7642 cdb480 7640->7642 7641->7635 7643 cdef7c 3 API calls 7642->7643 7644 cdb493 7643->7644 7645 cdef7c 3 API calls 7644->7645 7646 cdb4bb 7645->7646 7780 cdad89 GetLocalTime SystemTimeToFileTime 7646->7780 7650 cdb4cc 7651 cdef7c 3 API calls 7650->7651 7652 cdb4dd 7651->7652 7653 cdb211 7 API calls 7652->7653 7654 cdb4ec 7653->7654 7655 cdef7c 3 API calls 7654->7655 7656 cdb4fd 7655->7656 7657 cdb211 7 API calls 7656->7657 7658 cdb509 7657->7658 7659 cdef7c 3 API calls 7658->7659 7660 cdb51a 7659->7660 7660->7559 7662 cdabe9 GetTickCount 7661->7662 7664 cdab8c 7661->7664 7666 cda51d 7662->7666 7663 cdaba8 lstrcpynA 7663->7664 7664->7662 7664->7663 7665 cdabe1 InterlockedIncrement 7664->7665 7665->7664 7667 cda4c7 4 API calls 7666->7667 7668 cda52c 7667->7668 7669 cda542 GetTickCount 7668->7669 7671 cda539 GetTickCount 7668->7671 7669->7671 7672 cda56c 7671->7672 7672->7559 7674 cda4c7 4 API calls 7673->7674 7675 cda633 7674->7675 7675->7559 7677 cdf04e 4 API calls 7676->7677 7679 cd372a 7677->7679 7678 cd3847 7678->7577 7678->7578 7679->7678 7680 cd37b3 GetCurrentThreadId 7679->7680 7680->7679 7681 cd37c8 GetCurrentThreadId 7680->7681 7681->7679 7683 cdf04e 4 API calls 7682->7683 7684 cd360c 7683->7684 7685 cd36da GetCurrentThreadId 7684->7685 7687 cd36f1 7684->7687 7686 cd36e5 GetCurrentThreadId 7685->7686 7685->7687 7686->7687 7687->7576 7687->7578 7689 cd4bff InterlockedExchange 7688->7689 7690 cd4bec GetTickCount 7689->7690 7691 cd4c08 7689->7691 7690->7691 7692 cd4bf7 Sleep 7690->7692 7691->7581 7692->7689 7712 cd4763 7693->7712 7695 cd5b58 7722 cd4699 7695->7722 7698 cd4763 lstrlenA 7699 cd5b6e 7698->7699 7743 cd4f9f 7699->7743 7701 cd5b79 7701->7559 7702 cd548a 7702->7695 7705 cd4ae6 8 API calls 7702->7705 7707 cd558d lstrcpynA 7702->7707 7708 cd5a9f lstrcpyA 7702->7708 7709 cd5472 13 API calls 7702->7709 7710 cd5935 lstrcpynA 7702->7710 7711 cd58e7 lstrcpyA 7702->7711 7716 cd4ae6 7702->7716 7720 cdef7c lstrlenA lstrlenA lstrlenA 7702->7720 7704 cd5549 lstrlenA 7704->7702 7705->7702 7707->7702 7708->7702 7709->7702 7710->7702 7711->7702 7714 cd477a 7712->7714 7713 cd4859 7713->7702 7714->7713 7715 cd480d lstrlenA 7714->7715 7715->7714 7717 cd4af3 7716->7717 7719 cd4b03 7716->7719 7718 cdebed 8 API calls 7717->7718 7718->7719 7719->7704 7721 cdefb4 7720->7721 7721->7702 7748 cd45b3 7722->7748 7725 cd45b3 7 API calls 7726 cd46c6 7725->7726 7727 cd45b3 7 API calls 7726->7727 7728 cd46d8 7727->7728 7729 cd45b3 7 API calls 7728->7729 7730 cd46ea 7729->7730 7731 cd45b3 7 API calls 7730->7731 7732 cd46ff 7731->7732 7733 cd45b3 7 API calls 7732->7733 7734 cd4711 7733->7734 7735 cd45b3 7 API calls 7734->7735 7736 cd4723 7735->7736 7737 cdef7c 3 API calls 7736->7737 7738 cd4735 7737->7738 7739 cdef7c 3 API calls 7738->7739 7740 cd474a 7739->7740 7741 cdef7c 3 API calls 7740->7741 7742 cd475c 7741->7742 7742->7698 7744 cd4fac 7743->7744 7747 cd4fb0 7743->7747 7744->7701 7745 cd4ffd 7745->7701 7746 cd4fd5 IsBadCodePtr 7746->7747 7747->7745 7747->7746 7749 cd45c8 7748->7749 7750 cd45c1 7748->7750 7752 cd45e1 7749->7752 7753 cdebcc 4 API calls 7749->7753 7751 cdebcc 4 API calls 7750->7751 7751->7749 7754 cd4691 7752->7754 7755 cdef7c 3 API calls 7752->7755 7753->7752 7754->7725 7755->7752 7771 cd2d21 GetModuleHandleA 7756->7771 7759 cd2fcf GetProcessHeap HeapFree 7763 cd2f44 7759->7763 7760 cd2f4f 7762 cd2f6b GetProcessHeap HeapFree 7760->7762 7761 cd2f85 7761->7759 7761->7761 7762->7763 7763->7597 7765 cd3900 7764->7765 7767 cd3980 7764->7767 7766 cd30fa 4 API calls 7765->7766 7770 cd390a 7766->7770 7767->7605 7768 cd391b GetCurrentThreadId 7768->7770 7769 cd3939 GetCurrentThreadId 7769->7770 7770->7767 7770->7768 7770->7769 7772 cd2d5b GetProcAddress 7771->7772 7773 cd2d46 LoadLibraryA 7771->7773 7774 cd2d6b DnsQuery_A 7772->7774 7775 cd2d54 7772->7775 7773->7772 7773->7775 7774->7775 7776 cd2d7d 7774->7776 7775->7760 7775->7761 7775->7763 7776->7775 7777 cd2d97 GetProcessHeap HeapAlloc 7776->7777 7777->7775 7778 cd2dac 7777->7778 7778->7776 7779 cd2db5 lstrcpynA 7778->7779 7779->7778 7781 cdadbf 7780->7781 7805 cdad08 gethostname 7781->7805 7784 cd30b5 2 API calls 7785 cdadd3 7784->7785 7786 cda7a3 inet_ntoa 7785->7786 7793 cdade4 7785->7793 7786->7793 7787 cdae85 wsprintfA 7788 cdef7c 3 API calls 7787->7788 7790 cdaebb 7788->7790 7789 cdae36 wsprintfA wsprintfA 7791 cdef7c 3 API calls 7789->7791 7792 cdef7c 3 API calls 7790->7792 7791->7793 7794 cdaed2 7792->7794 7793->7787 7793->7789 7795 cdb211 7794->7795 7796 cdb2af GetLocalTime 7795->7796 7797 cdb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7795->7797 7798 cdb2d2 7796->7798 7797->7798 7799 cdb31c GetTimeZoneInformation 7798->7799 7800 cdb2d9 SystemTimeToFileTime 7798->7800 7802 cdb33a wsprintfA 7799->7802 7801 cdb2ec 7800->7801 7803 cdb312 FileTimeToSystemTime 7801->7803 7802->7650 7803->7799 7806 cdad71 7805->7806 7811 cdad26 lstrlenA 7805->7811 7808 cdad79 lstrcpyA 7806->7808 7809 cdad85 7806->7809 7808->7809 7809->7784 7810 cdad68 lstrlenA 7810->7806 7811->7806 7811->7810 7813 cd2d21 7 API calls 7812->7813 7814 cd2f01 7813->7814 7815 cd2f14 7814->7815 7816 cd2f06 7814->7816 7818 cd2684 2 API calls 7815->7818 7835 cd2df2 GetModuleHandleA 7816->7835 7820 cd2f1d 7818->7820 7820->7386 7821 cd2f1f 7821->7386 7823 cdf428 14 API calls 7822->7823 7824 cd198a 7823->7824 7825 cd1998 7824->7825 7826 cd1990 closesocket 7824->7826 7825->7394 7826->7825 7828 cd1c80 7827->7828 7829 cd1d1c 7828->7829 7830 cd1cc2 wsprintfA 7828->7830 7834 cd1d79 7828->7834 7829->7829 7832 cd1d47 wsprintfA 7829->7832 7831 cd2684 2 API calls 7830->7831 7831->7828 7833 cd2684 2 API calls 7832->7833 7833->7834 7834->7408 7836 cd2e0b 7835->7836 7837 cd2e10 LoadLibraryA 7835->7837 7836->7837 7838 cd2e17 7836->7838 7837->7838 7839 cd2ef1 7838->7839 7840 cd2e28 GetProcAddress 7838->7840 7839->7815 7839->7821 7840->7839 7841 cd2e3e GetProcessHeap HeapAlloc 7840->7841 7842 cd2e62 7841->7842 7842->7839 7843 cd2ede GetProcessHeap HeapFree 7842->7843 7844 cd2e7f htons inet_addr 7842->7844 7845 cd2ea5 gethostbyname 7842->7845 7847 cd2ceb 7842->7847 7843->7839 7844->7842 7844->7845 7845->7842 7848 cd2cf2 7847->7848 7850 cd2d1c 7848->7850 7851 cd2d0e Sleep 7848->7851 7852 cd2a62 GetProcessHeap HeapAlloc 7848->7852 7850->7842 7851->7848 7851->7850 7853 cd2a99 socket 7852->7853 7854 cd2a92 7852->7854 7855 cd2ab4 7853->7855 7856 cd2cd3 GetProcessHeap HeapFree 7853->7856 7854->7848 7855->7856 7870 cd2abd 7855->7870 7856->7854 7857 cd2adb htons 7872 cd26ff 7857->7872 7859 cd2b04 select 7859->7870 7860 cd2cb3 GetProcessHeap HeapFree closesocket 7860->7854 7861 cd2b3f recv 7861->7870 7862 cd2b66 htons 7863 cd2ca4 7862->7863 7862->7870 7863->7860 7864 cd2b87 htons 7864->7863 7864->7870 7867 cd2bf3 GetProcessHeap HeapAlloc 7867->7870 7868 cd2c17 htons 7887 cd2871 7868->7887 7870->7857 7870->7859 7870->7860 7870->7861 7870->7862 7870->7863 7870->7864 7870->7867 7870->7868 7871 cd2c4d GetProcessHeap HeapFree 7870->7871 7879 cd2923 7870->7879 7891 cd2904 7870->7891 7871->7870 7873 cd2717 7872->7873 7874 cd271d 7872->7874 7875 cdebcc 4 API calls 7873->7875 7876 cd272b GetTickCount htons 7874->7876 7875->7874 7877 cd27cc htons htons sendto 7876->7877 7878 cd278a 7876->7878 7877->7870 7878->7877 7880 cd293d 7879->7880 7881 cd2944 7879->7881 7880->7870 7895 cd2816 htons 7881->7895 7883 cd2871 htons 7886 cd2950 7883->7886 7884 cd29bd htons htons htons 7884->7880 7885 cd29f6 GetProcessHeap HeapAlloc 7884->7885 7885->7880 7885->7886 7886->7880 7886->7883 7886->7884 7888 cd28e3 7887->7888 7890 cd2889 7887->7890 7888->7870 7889 cd28c3 htons 7889->7888 7889->7890 7890->7888 7890->7889 7892 cd2908 7891->7892 7893 cd2921 7891->7893 7894 cd2909 GetProcessHeap HeapFree 7892->7894 7893->7870 7894->7893 7894->7894 7896 cd286b 7895->7896 7897 cd2836 7895->7897 7896->7886 7897->7896 7898 cd285c htons 7897->7898 7898->7896 7898->7897 7900 cd6bbc 7899->7900 7901 cd6bc0 7899->7901 7900->7427 7902 cdebcc 4 API calls 7901->7902 7913 cd6bd4 7901->7913 7903 cd6be4 7902->7903 7904 cd6bfc 7903->7904 7905 cd6c07 CreateFileA 7903->7905 7903->7913 7906 cdec2e codecvt 4 API calls 7904->7906 7907 cd6c2a 7905->7907 7908 cd6c34 WriteFile 7905->7908 7906->7913 7911 cdec2e codecvt 4 API calls 7907->7911 7909 cd6c49 CloseHandle DeleteFileA 7908->7909 7910 cd6c5a CloseHandle 7908->7910 7909->7907 7912 cdec2e codecvt 4 API calls 7910->7912 7911->7913 7912->7913 7913->7427 8207 cd35a5 8208 cd30fa 4 API calls 8207->8208 8209 cd35b3 8208->8209 8213 cd35ea 8209->8213 8214 cd355d 8209->8214 8211 cd35da 8212 cd355d 4 API calls 8211->8212 8211->8213 8212->8213 8215 cdf04e 4 API calls 8214->8215 8216 cd356a 8215->8216 8216->8211 8026 cd4861 IsBadWritePtr 8027 cd4876 8026->8027 8028 cd9961 RegisterServiceCtrlHandlerA 8029 cd997d 8028->8029 8036 cd99cb 8028->8036 8038 cd9892 8029->8038 8031 cd999a 8032 cd99ba 8031->8032 8033 cd9892 SetServiceStatus 8031->8033 8035 cd9892 SetServiceStatus 8032->8035 8032->8036 8034 cd99aa 8033->8034 8034->8032 8037 cd98f2 41 API calls 8034->8037 8035->8036 8037->8032 8039 cd98c2 SetServiceStatus 8038->8039 8039->8031 8217 cd5e21 8218 cd5e29 8217->8218 8219 cd5e36 8217->8219 8220 cd50dc 17 API calls 8218->8220 8220->8219 8041 cd4960 8042 cd496d 8041->8042 8044 cd497d 8041->8044 8043 cdebed 8 API calls 8042->8043 8043->8044 8221 cd5d34 IsBadWritePtr 8222 cd5d47 8221->8222 8223 cd5d4a 8221->8223 8224 cd5389 12 API calls 8223->8224 8225 cd5d80 8224->8225 8226 cdbe31 lstrcmpiA 8227 cdbe55 lstrcmpiA 8226->8227 8234 cdbe71 8226->8234 8228 cdbe61 lstrcmpiA 8227->8228 8227->8234 8231 cdbfc8 8228->8231 8228->8234 8229 cdbf62 lstrcmpiA 8230 cdbf77 lstrcmpiA 8229->8230 8233 cdbf70 8229->8233 8232 cdbf8c lstrcmpiA 8230->8232 8230->8233 8232->8233 8233->8231 8235 cdbfc2 8233->8235 8236 cdec2e codecvt 4 API calls 8233->8236 8234->8229 8237 cdebcc 4 API calls 8234->8237 8238 cdec2e codecvt 4 API calls 8235->8238 8236->8233 8241 cdbeb6 8237->8241 8238->8231 8239 cdbf5a 8239->8229 8240 cdebcc 4 API calls 8240->8241 8241->8229 8241->8231 8241->8239 8241->8240
                                                                                                                                                                APIs
                                                                                                                                                                • closesocket.WS2_32(?), ref: 00CDCA4E
                                                                                                                                                                • closesocket.WS2_32(?), ref: 00CDCB63
                                                                                                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 00CDCC28
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CDCCB4
                                                                                                                                                                • WriteFile.KERNEL32(00CDA4B3,?,-000000E8,?,00000000), ref: 00CDCCDC
                                                                                                                                                                • CloseHandle.KERNEL32(00CDA4B3), ref: 00CDCCED
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDCD21
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00CDCD77
                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 00CDCD89
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00CDCD98
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00CDCD9D
                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 00CDCDC4
                                                                                                                                                                • CloseHandle.KERNEL32(00CDA4B3), ref: 00CDCDCC
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 00CDCFB1
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00CDCFEF
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00CDD033
                                                                                                                                                                • lstrcatA.KERNEL32(?,04300108), ref: 00CDD10C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 00CDD155
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00CDD171
                                                                                                                                                                • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000), ref: 00CDD195
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00CDD19C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 00CDD1C8
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 00CDD231
                                                                                                                                                                • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 00CDD27C
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 00CDD2AB
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD2C7
                                                                                                                                                                • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD2EB
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD2F2
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 00CDD326
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 00CDD372
                                                                                                                                                                • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 00CDD3BD
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 00CDD3EC
                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD408
                                                                                                                                                                • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD428
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 00CDD42F
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 00CDD45B
                                                                                                                                                                • CreateProcessA.KERNEL32(?,00CE0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00CDD4DE
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00CDD4F4
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00CDD4FC
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00CDD513
                                                                                                                                                                • closesocket.WS2_32(?), ref: 00CDD56C
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 00CDD577
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00CDD583
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDD81F
                                                                                                                                                                  • Part of subcall function 00CDC65C: send.WS2_32(00000000,?,00000000), ref: 00CDC74B
                                                                                                                                                                • closesocket.WS2_32(?), ref: 00CDDAD5
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                                                • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                                                • API String ID: 562065436-2662302004
                                                                                                                                                                • Opcode ID: 7622ae56569c010ca0c6040bb74006b86bb0a03f8102f82cecd2bce6a57eef13
                                                                                                                                                                • Instruction ID: adde27182f9cb504876119c8e99b17e5991c7d4b6d77b3a7df3c6dc4b9964b40
                                                                                                                                                                • Opcode Fuzzy Hash: 7622ae56569c010ca0c6040bb74006b86bb0a03f8102f82cecd2bce6a57eef13
                                                                                                                                                                • Instruction Fuzzy Hash: 6DB28571900289ABEB21ABA4DCC9FEE7BBDEB04304F14406BF715AB291D7709A45DB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00CD9A7F
                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00CD9A83
                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00CD6511), ref: 00CD9A8A
                                                                                                                                                                  • Part of subcall function 00CDEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CDEC5E
                                                                                                                                                                  • Part of subcall function 00CDEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 00CDEC72
                                                                                                                                                                  • Part of subcall function 00CDEC54: GetTickCount.KERNEL32 ref: 00CDEC78
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00CD9AB3
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00CD9ABA
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00CD9AFD
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00CD9B99
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00CD9C06
                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00CD9CAC
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00CD9D7A
                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 00CD9D8B
                                                                                                                                                                • lstrcatA.KERNEL32(?,00CE070C), ref: 00CD9D9D
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00CD9DED
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00CD9E38
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00CD9E6F
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00CD9EC8
                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00CD9ED5
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00CD9F3B
                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00CD9F5E
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00CD9F6A
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00CD9FAD
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00CD9FB4
                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00CD9FFE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 00CDA038
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00CE0A34), ref: 00CDA05E
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 00CDA072
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00CE0A34), ref: 00CDA08D
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDA0B6
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 00CDA0DE
                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 00CDA0FD
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00CDA120
                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00CDA131
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 00CDA174
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00CDA17B
                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 00CDA1B6
                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00CDA1E5
                                                                                                                                                                  • Part of subcall function 00CD99D2: lstrcpyA.KERNEL32(?,?,00000100,00CE22F8,00000000,?,00CD9E9D,?,00000022,?,?,?,?,?,?,?), ref: 00CD99DF
                                                                                                                                                                  • Part of subcall function 00CD99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00CD9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00CD9A3C
                                                                                                                                                                  • Part of subcall function 00CD99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00CD9E9D,?,00000022,?,?,?), ref: 00CD9A52
                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00CDA288
                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00CDA3B7
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00CDA3ED
                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 00CDA400
                                                                                                                                                                • DeleteFileA.KERNELBASE(00CE33D8), ref: 00CDA407
                                                                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,00CD405E,00000000,00000000,00000000), ref: 00CDA42C
                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 00CDA43A
                                                                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,00CD877E,00000000,00000000,00000000), ref: 00CDA469
                                                                                                                                                                • Sleep.KERNELBASE(00000BB8), ref: 00CDA48A
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDA49F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDA4B7
                                                                                                                                                                • Sleep.KERNELBASE(00001A90), ref: 00CDA4C3
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$D$P$\$kofydeki
                                                                                                                                                                • API String ID: 2089075347-4179335424
                                                                                                                                                                • Opcode ID: dfc13ab06b49269852bacab62363584b594a00186616ac9d7f4444e51f3b5250
                                                                                                                                                                • Instruction ID: 27c6d3b0123974b6b7bf6d6adb43c5a4ddd32ef31cdee15da2a162d1b5b7a66d
                                                                                                                                                                • Opcode Fuzzy Hash: dfc13ab06b49269852bacab62363584b594a00186616ac9d7f4444e51f3b5250
                                                                                                                                                                • Instruction Fuzzy Hash: A85284B1D40259AFDB11EBA0CC89FEE77BCEB04300F1444A7F719A6251E7709B859B61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 905 cd199c-cd19cc inet_addr LoadLibraryA 906 cd19ce-cd19d0 905->906 907 cd19d5-cd19fe GetProcAddress * 3 905->907 908 cd1abf-cd1ac2 906->908 909 cd1a04-cd1a06 907->909 910 cd1ab3-cd1ab6 FreeLibrary 907->910 909->910 911 cd1a0c-cd1a0e 909->911 912 cd1abc 910->912 911->910 913 cd1a14-cd1a28 GetBestInterface GetProcessHeap 911->913 914 cd1abe 912->914 913->912 915 cd1a2e-cd1a40 HeapAlloc 913->915 914->908 915->912 916 cd1a42-cd1a50 GetAdaptersInfo 915->916 917 cd1a62-cd1a67 916->917 918 cd1a52-cd1a60 HeapReAlloc 916->918 919 cd1a69-cd1a73 GetAdaptersInfo 917->919 920 cd1aa1-cd1aad FreeLibrary 917->920 918->917 919->920 921 cd1a75 919->921 920->912 922 cd1aaf-cd1ab1 920->922 923 cd1a77-cd1a80 921->923 922->914 924 cd1a8a-cd1a91 923->924 925 cd1a82-cd1a86 923->925 927 cd1a96-cd1a9b HeapFree 924->927 928 cd1a93 924->928 925->923 926 cd1a88 925->926 926->927 927->920 928->927
                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 00CD19B1
                                                                                                                                                                • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00CD1E9E), ref: 00CD19BF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00CD19E2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 00CD19ED
                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 00CD19F9
                                                                                                                                                                • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A1B
                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00CD1E9E), ref: 00CD1A1D
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A36
                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,00CD1E9E,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A4A
                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00CD1E9E,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A5A
                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,00CD1E9E,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A6E
                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00CD1E9E), ref: 00CD1A9B
                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00CD1E9E), ref: 00CD1AA4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                                                • API String ID: 293628436-270533642
                                                                                                                                                                • Opcode ID: 5557aa74cf2ce04f412ca05bed71cfc37324fb90e48ecac19345bcd74bbbe967
                                                                                                                                                                • Instruction ID: a9e014de88f69e9fd22c1eb71ca7936196ad2d49f61b1d3885ceb5a4d46de9d7
                                                                                                                                                                • Opcode Fuzzy Hash: 5557aa74cf2ce04f412ca05bed71cfc37324fb90e48ecac19345bcd74bbbe967
                                                                                                                                                                • Instruction Fuzzy Hash: C7316171D01249BFCB119FE5DDC89BEBBB5EF44301B29057AEA15A6210D7704F80EB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 696 cd7a95-cd7ac2 RegOpenKeyExA 697 cd7acb-cd7ae7 GetUserNameA 696->697 698 cd7ac4-cd7ac6 696->698 700 cd7aed-cd7b1e LookupAccountNameA 697->700 701 cd7da7-cd7db3 RegCloseKey 697->701 699 cd7db4-cd7db6 698->699 700->701 702 cd7b24-cd7b43 RegGetKeySecurity 700->702 701->699 702->701 703 cd7b49-cd7b61 GetSecurityDescriptorOwner 702->703 704 cd7bb8-cd7bd6 GetSecurityDescriptorDacl 703->704 705 cd7b63-cd7b72 EqualSid 703->705 706 cd7bdc-cd7be1 704->706 707 cd7da6 704->707 705->704 708 cd7b74-cd7b88 LocalAlloc 705->708 706->707 709 cd7be7-cd7bf2 706->709 707->701 708->704 710 cd7b8a-cd7b94 InitializeSecurityDescriptor 708->710 709->707 711 cd7bf8-cd7c08 GetAce 709->711 712 cd7b96-cd7ba4 SetSecurityDescriptorOwner 710->712 713 cd7bb1-cd7bb2 LocalFree 710->713 714 cd7c0e-cd7c1b 711->714 715 cd7cc6 711->715 712->713 716 cd7ba6-cd7bab RegSetKeySecurity 712->716 713->704 718 cd7c1d-cd7c2f EqualSid 714->718 719 cd7c4f-cd7c52 714->719 717 cd7cc9-cd7cd3 715->717 716->713 717->711 720 cd7cd9-cd7cdc 717->720 721 cd7c36-cd7c38 718->721 722 cd7c31-cd7c34 718->722 723 cd7c5f-cd7c71 EqualSid 719->723 724 cd7c54-cd7c5e 719->724 720->707 725 cd7ce2-cd7ce8 720->725 721->719 726 cd7c3a-cd7c4d DeleteAce 721->726 722->718 722->721 727 cd7c86 723->727 728 cd7c73-cd7c84 723->728 724->723 729 cd7d5a-cd7d6e LocalAlloc 725->729 730 cd7cea-cd7cf0 725->730 726->717 731 cd7c8b-cd7c8e 727->731 728->731 729->707 735 cd7d70-cd7d7a InitializeSecurityDescriptor 729->735 730->729 732 cd7cf2-cd7d0d RegOpenKeyExA 730->732 733 cd7c9d-cd7c9f 731->733 734 cd7c90-cd7c96 731->734 732->729 740 cd7d0f-cd7d16 732->740 736 cd7ca7-cd7cc3 733->736 737 cd7ca1-cd7ca5 733->737 734->733 738 cd7d7c-cd7d8a SetSecurityDescriptorDacl 735->738 739 cd7d9f-cd7da0 LocalFree 735->739 736->715 737->715 737->736 738->739 741 cd7d8c-cd7d9a RegSetKeySecurity 738->741 739->707 742 cd7d19-cd7d1e 740->742 741->739 743 cd7d9c 741->743 742->742 744 cd7d20-cd7d52 call cd2544 RegSetValueExA 742->744 743->739 744->729 747 cd7d54 744->747 747->729
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00CD7ABA
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00CD7ADF
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,00CE070C,?,?,?), ref: 00CD7B16
                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00CD7B3B
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00CD7B59
                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00CD7B6A
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00CD7B7E
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00CD7B8C
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00CD7B9C
                                                                                                                                                                • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00CD7BAB
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00CD7BB2
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00CD7FC9,?,00000000), ref: 00CD7BCE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$D
                                                                                                                                                                • API String ID: 2976863881-4275784296
                                                                                                                                                                • Opcode ID: 337c50b5f6c26b58aac8921f2afc1087dcd47f6d055162bdb5f80a082a47687d
                                                                                                                                                                • Instruction ID: 21e03694c06affb653592179936035f2df1e57912791fc3e0e55a57713f0c252
                                                                                                                                                                • Opcode Fuzzy Hash: 337c50b5f6c26b58aac8921f2afc1087dcd47f6d055162bdb5f80a082a47687d
                                                                                                                                                                • Instruction Fuzzy Hash: 53A19E72904259AFDF118FA0DC88FEEBBBDFF44700F14416AE615E6250E7758A85CBA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 748 cd7809-cd7837 GetUserNameA 749 cd783d-cd786e LookupAccountNameA 748->749 750 cd7a8e-cd7a94 748->750 749->750 751 cd7874-cd78a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 cd78a8-cd78c3 GetSecurityDescriptorOwner 751->752 753 cd791d-cd793b GetSecurityDescriptorDacl 752->753 754 cd78c5-cd78da EqualSid 752->754 756 cd7a8d 753->756 757 cd7941-cd7946 753->757 754->753 755 cd78dc-cd78ed LocalAlloc 754->755 755->753 758 cd78ef-cd78f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 cd794c-cd7955 757->759 760 cd78fb-cd7909 SetSecurityDescriptorOwner 758->760 761 cd7916-cd7917 LocalFree 758->761 759->756 762 cd795b-cd796b GetAce 759->762 760->761 763 cd790b-cd7910 SetFileSecurityA 760->763 761->753 764 cd7a2a 762->764 765 cd7971-cd797e 762->765 763->761 768 cd7a2d-cd7a37 764->768 766 cd79ae-cd79b1 765->766 767 cd7980-cd7992 EqualSid 765->767 770 cd79be-cd79d0 EqualSid 766->770 771 cd79b3-cd79bd 766->771 772 cd7999-cd799b 767->772 773 cd7994-cd7997 767->773 768->762 769 cd7a3d-cd7a41 768->769 769->756 775 cd7a43-cd7a54 LocalAlloc 769->775 776 cd79e5 770->776 777 cd79d2-cd79e3 770->777 771->770 772->766 774 cd799d-cd79ac DeleteAce 772->774 773->767 773->772 774->768 775->756 778 cd7a56-cd7a60 InitializeSecurityDescriptor 775->778 779 cd79ea-cd79ed 776->779 777->779 780 cd7a86-cd7a87 LocalFree 778->780 781 cd7a62-cd7a71 SetSecurityDescriptorDacl 778->781 782 cd79ef-cd79f5 779->782 783 cd79f8-cd79fb 779->783 780->756 781->780 784 cd7a73-cd7a81 SetFileSecurityA 781->784 782->783 785 cd79fd-cd7a01 783->785 786 cd7a03-cd7a0e 783->786 784->780 787 cd7a83 784->787 785->764 785->786 788 cd7a19-cd7a24 786->788 789 cd7a10-cd7a17 786->789 787->780 790 cd7a27 788->790 789->790 790->764
                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00CD782F
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00CD7866
                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00CD7878
                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00CD789A
                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00CD7F63,?), ref: 00CD78B8
                                                                                                                                                                • EqualSid.ADVAPI32(?,00CD7F63), ref: 00CD78D2
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00CD78E3
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00CD78F1
                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00CD7901
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00CD7910
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00CD7917
                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD7933
                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00CD7963
                                                                                                                                                                • EqualSid.ADVAPI32(?,00CD7F63), ref: 00CD798A
                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 00CD79A3
                                                                                                                                                                • EqualSid.ADVAPI32(?,00CD7F63), ref: 00CD79C5
                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00CD7A4A
                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00CD7A58
                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00CD7A69
                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00CD7A79
                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00CD7A87
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                • Opcode ID: 518e542d3189699679eb6b272a6225298fcf226e43d2926c13f03ee705686ea0
                                                                                                                                                                • Instruction ID: 8d8e52c5134e8e350786ba50d896aff7a568be1108195389859931f49f31ea59
                                                                                                                                                                • Opcode Fuzzy Hash: 518e542d3189699679eb6b272a6225298fcf226e43d2926c13f03ee705686ea0
                                                                                                                                                                • Instruction Fuzzy Hash: 31814072D04159ABDB21CFA5CD84FEEBBB8EF08340F14426AE615E6250E7749B41DFA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 791 cd8328-cd833e call cd7dd6 794 cd8348-cd8356 call cd6ec3 791->794 795 cd8340-cd8343 791->795 799 cd835c-cd8378 call cd73ff 794->799 800 cd846b-cd8474 794->800 796 cd877b-cd877d 795->796 812 cd837e-cd8384 799->812 813 cd8464-cd8466 799->813 801 cd847a-cd8480 800->801 802 cd85c2-cd85ce 800->802 801->802 804 cd8486-cd84ba call cd2544 RegOpenKeyExA 801->804 806 cd8615-cd8620 802->806 807 cd85d0-cd85da call cd675c 802->807 821 cd84c0-cd84db RegQueryValueExA 804->821 822 cd8543-cd8571 call cd2544 RegOpenKeyExA 804->822 810 cd86a7-cd86b0 call cd6ba7 806->810 811 cd8626-cd864c GetTempPathA call cd8274 call cdeca5 806->811 814 cd85df-cd85eb 807->814 830 cd86b6-cd86bd call cd7e2f 810->830 831 cd8762 810->831 852 cd864e-cd866f call cdeca5 811->852 853 cd8671-cd86a4 call cd2544 call cdef00 call cdee2a 811->853 812->813 818 cd838a-cd838d 812->818 819 cd8779-cd877a 813->819 814->806 820 cd85ed-cd85ef 814->820 818->813 825 cd8393-cd8399 818->825 819->796 820->806 826 cd85f1-cd85fa 820->826 828 cd84dd-cd84e1 821->828 829 cd8521-cd852d RegCloseKey 821->829 846 cd85a5-cd85b7 call cdee2a 822->846 847 cd8573-cd857b 822->847 833 cd839c-cd83a1 825->833 826->806 834 cd85fc-cd860f call cd24c2 826->834 828->829 836 cd84e3-cd84e6 828->836 829->822 840 cd852f-cd8541 call cdeed1 829->840 862 cd875b-cd875c DeleteFileA 830->862 863 cd86c3-cd873b call cdee2a * 2 lstrcpyA lstrlenA call cd7fcf CreateProcessA 830->863 838 cd8768-cd876b 831->838 833->833 841 cd83a3-cd83af 833->841 834->806 834->838 836->829 848 cd84e8-cd84f6 call cdebcc 836->848 850 cd876d-cd8775 call cdec2e 838->850 851 cd8776-cd8778 838->851 840->822 840->846 843 cd83b1 841->843 844 cd83b3-cd83ba 841->844 843->844 856 cd8450-cd845f call cdee2a 844->856 857 cd83c0-cd83fb call cd2544 RegOpenKeyExA 844->857 846->802 878 cd85b9-cd85c1 call cdec2e 846->878 859 cd857e-cd8583 847->859 848->829 877 cd84f8-cd8513 RegQueryValueExA 848->877 850->851 851->819 852->853 853->810 856->802 857->856 883 cd83fd-cd841c RegQueryValueExA 857->883 859->859 868 cd8585-cd859f RegSetValueExA RegCloseKey 859->868 862->831 899 cd873d-cd874d CloseHandle * 2 863->899 900 cd874f-cd875a call cd7ee6 call cd7ead 863->900 868->846 877->829 884 cd8515-cd851e call cdec2e 877->884 878->802 888 cd842d-cd8441 RegSetValueExA 883->888 889 cd841e-cd8421 883->889 884->829 895 cd8447-cd844a RegCloseKey 888->895 889->888 894 cd8423-cd8426 889->894 894->888 898 cd8428-cd842b 894->898 895->856 898->888 898->895 899->838 900->862
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00CD83F3
                                                                                                                                                                • RegQueryValueExA.KERNELBASE(00CE0750,?,00000000,?,00CD8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00CD8414
                                                                                                                                                                • RegSetValueExA.KERNELBASE(00CE0750,?,00000000,00000004,00CD8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00CD8441
                                                                                                                                                                • RegCloseKey.ADVAPI32(00CE0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00CD844A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe$localcfg
                                                                                                                                                                • API String ID: 237177642-3039148244
                                                                                                                                                                • Opcode ID: 0762c468e60e1eaaee3c28b9b6869ca0a6547e0064ca926acdb4847477bafe3c
                                                                                                                                                                • Instruction ID: d4643da47842f228e21b4bc62f22a0a6a6a7b17fbab91dbba4ff6b5936110946
                                                                                                                                                                • Opcode Fuzzy Hash: 0762c468e60e1eaaee3c28b9b6869ca0a6547e0064ca926acdb4847477bafe3c
                                                                                                                                                                • Instruction Fuzzy Hash: 73C191B194024DBEEF11ABA4DC85FEE7BBCEB04300F244467F715A6251EA705F889B61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 929 cd1d96-cd1dce call cdee2a GetVersionExA 932 cd1de0 929->932 933 cd1dd0-cd1dde 929->933 934 cd1de3-cd1e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 cd1e24-cd1e59 call cde819 * 2 934->935 936 cd1e16-cd1e21 GetCurrentProcess 934->936 941 cd1e5b-cd1e77 call cddf70 * 2 935->941 942 cd1e7a-cd1ea0 call cdea84 call cde819 call cd199c 935->942 936->935 941->942 953 cd1ea8 942->953 954 cd1ea2-cd1ea6 942->954 955 cd1eac-cd1ec1 call cde819 953->955 954->955 958 cd1ee0-cd1ef6 call cde819 955->958 959 cd1ec3-cd1ed3 call cdf04e call cdea84 955->959 965 cd1ef8 call cd1b71 958->965 966 cd1f14-cd1f2b call cde819 958->966 967 cd1ed8-cd1ede 959->967 970 cd1efd-cd1f11 call cdea84 965->970 973 cd1f2d call cd1bdf 966->973 974 cd1f49-cd1f65 call cde819 966->974 967->958 970->966 979 cd1f32-cd1f46 call cdea84 973->979 981 cd1f7a-cd1f8c call cd30b5 974->981 982 cd1f67-cd1f77 call cdea84 974->982 979->974 988 cd1f8e-cd1f91 981->988 989 cd1f93-cd1f9a 981->989 982->981 990 cd1fbb-cd1fc0 988->990 991 cd1f9c-cd1fa3 call cd6ec3 989->991 992 cd1fb7 989->992 993 cd1fc9-cd1fea GetTickCount 990->993 994 cd1fc2 990->994 997 cd1fae-cd1fb5 991->997 998 cd1fa5-cd1fac 991->998 992->990 994->993 997->990 998->990
                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 00CD1DC6
                                                                                                                                                                • GetSystemInfo.KERNELBASE(?), ref: 00CD1DE8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00CD1E03
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00CD1E0A
                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00CD1E1B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD1FC9
                                                                                                                                                                  • Part of subcall function 00CD1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00CD1C15
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                • Opcode ID: cfdb4da0aa23e09cf105cf8526be2ce47b57f3f3bd0cef0f170a4711a82c2add
                                                                                                                                                                • Instruction ID: dc25c3bb5e67827d60020bc01b0c706c83c6faf1a59fdc20500138f1f9dc0190
                                                                                                                                                                • Opcode Fuzzy Hash: cfdb4da0aa23e09cf105cf8526be2ce47b57f3f3bd0cef0f170a4711a82c2add
                                                                                                                                                                • Instruction Fuzzy Hash: 0251DAB15043847FE320AFB68C85F27BAECEB44704F04091EFA9A46753D7B4A944D7A1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 999 cd73ff-cd7419 1000 cd741d-cd7422 999->1000 1001 cd741b 999->1001 1002 cd7424 1000->1002 1003 cd7426-cd742b 1000->1003 1001->1000 1002->1003 1004 cd742d 1003->1004 1005 cd7430-cd7435 1003->1005 1004->1005 1006 cd743a-cd7481 call cd6dc2 call cd2544 RegOpenKeyExA 1005->1006 1007 cd7437 1005->1007 1012 cd77f9-cd77fe call cdee2a 1006->1012 1013 cd7487-cd749d call cdee2a 1006->1013 1007->1006 1018 cd7801 1012->1018 1019 cd7703-cd770e RegEnumKeyA 1013->1019 1020 cd7804-cd7808 1018->1020 1021 cd7714-cd771d RegCloseKey 1019->1021 1022 cd74a2-cd74b1 call cd6cad 1019->1022 1021->1018 1025 cd76ed-cd7700 1022->1025 1026 cd74b7-cd74cc call cdf1a5 1022->1026 1025->1019 1026->1025 1029 cd74d2-cd74f8 RegOpenKeyExA 1026->1029 1030 cd74fe-cd7530 call cd2544 RegQueryValueExA 1029->1030 1031 cd7727-cd772a 1029->1031 1030->1031 1038 cd7536-cd753c 1030->1038 1033 cd772c-cd7740 call cdef00 1031->1033 1034 cd7755-cd7764 call cdee2a 1031->1034 1042 cd774b-cd774e 1033->1042 1043 cd7742-cd7745 RegCloseKey 1033->1043 1044 cd76df-cd76e2 1034->1044 1041 cd753f-cd7544 1038->1041 1041->1041 1045 cd7546-cd754b 1041->1045 1046 cd77ec-cd77f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 cd76e4-cd76e7 RegCloseKey 1044->1047 1045->1034 1048 cd7551-cd756b call cdee95 1045->1048 1046->1020 1047->1025 1048->1034 1051 cd7571-cd7593 call cd2544 call cdee95 1048->1051 1056 cd7599-cd75a0 1051->1056 1057 cd7753 1051->1057 1058 cd75c8-cd75d7 call cded03 1056->1058 1059 cd75a2-cd75c6 call cdef00 call cded03 1056->1059 1057->1034 1065 cd75d8-cd75da 1058->1065 1059->1065 1067 cd75dc 1065->1067 1068 cd75df-cd7623 call cdee95 call cd2544 call cdee95 call cdee2a 1065->1068 1067->1068 1077 cd7626-cd762b 1068->1077 1077->1077 1078 cd762d-cd7634 1077->1078 1079 cd7637-cd763c 1078->1079 1079->1079 1080 cd763e-cd7642 1079->1080 1081 cd765c-cd7673 call cded23 1080->1081 1082 cd7644-cd7656 call cded77 1080->1082 1088 cd7675-cd767e 1081->1088 1089 cd7680 1081->1089 1082->1081 1087 cd7769-cd777c call cdef00 1082->1087 1094 cd77e3-cd77e6 RegCloseKey 1087->1094 1091 cd7683-cd768e call cd6cad 1088->1091 1089->1091 1096 cd7694-cd76bf call cdf1a5 call cd6c96 1091->1096 1097 cd7722-cd7725 1091->1097 1094->1046 1103 cd76d8 1096->1103 1104 cd76c1-cd76c7 1096->1104 1099 cd76dd 1097->1099 1099->1044 1103->1099 1104->1103 1105 cd76c9-cd76d2 1104->1105 1105->1103 1106 cd777e-cd7797 GetFileAttributesExA 1105->1106 1107 cd7799 1106->1107 1108 cd779a-cd779f 1106->1108 1107->1108 1109 cd77a1 1108->1109 1110 cd77a3-cd77a8 1108->1110 1109->1110 1111 cd77aa-cd77c0 call cdee08 1110->1111 1112 cd77c4-cd77c8 1110->1112 1111->1112 1114 cd77ca-cd77d6 call cdef00 1112->1114 1115 cd77d7-cd77dc 1112->1115 1114->1115 1118 cd77de 1115->1118 1119 cd77e0-cd77e2 1115->1119 1118->1119 1119->1094
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00CD7472
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD74F0
                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD7528
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 00CD764D
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD76E7
                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00CD7706
                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD7717
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD7745
                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00CD77EF
                                                                                                                                                                  • Part of subcall function 00CDF1A5: lstrlenA.KERNEL32(000000C8,000000E4,00CE22F8,000000C8,00CD7150,?), ref: 00CDF1AD
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00CD778F
                                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 00CD77E6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: "
                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                • Opcode ID: bee349a33ca13f29131b9198e85ee4d17807dbc46dad1a9273b5a9f9c1ed5277
                                                                                                                                                                • Instruction ID: 26e326627b71dffd1b4f32863bd387573f835be1d86639798714ed6044da454d
                                                                                                                                                                • Opcode Fuzzy Hash: bee349a33ca13f29131b9198e85ee4d17807dbc46dad1a9273b5a9f9c1ed5277
                                                                                                                                                                • Instruction Fuzzy Hash: B9C1C371904209ABDB12ABA5DC45FEE7BB9EF44310F240597F614EA290FB70DA809B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1121 cd675c-cd6778 1122 cd677a-cd677e SetFileAttributesA 1121->1122 1123 cd6784-cd67a2 CreateFileA 1121->1123 1122->1123 1124 cd67b5-cd67b8 1123->1124 1125 cd67a4-cd67b2 CreateFileA 1123->1125 1126 cd67ba-cd67bf SetFileAttributesA 1124->1126 1127 cd67c5-cd67c9 1124->1127 1125->1124 1126->1127 1128 cd67cf-cd67df GetFileSize 1127->1128 1129 cd6977-cd6986 1127->1129 1130 cd696b 1128->1130 1131 cd67e5-cd67e7 1128->1131 1133 cd696e-cd6971 FindCloseChangeNotification 1130->1133 1131->1130 1132 cd67ed-cd680b ReadFile 1131->1132 1132->1130 1134 cd6811-cd6824 SetFilePointer 1132->1134 1133->1129 1134->1130 1135 cd682a-cd6842 ReadFile 1134->1135 1135->1130 1136 cd6848-cd6861 SetFilePointer 1135->1136 1136->1130 1137 cd6867-cd6876 1136->1137 1138 cd6878-cd688f ReadFile 1137->1138 1139 cd68d5-cd68df 1137->1139 1140 cd6891-cd689e 1138->1140 1141 cd68d2 1138->1141 1139->1133 1142 cd68e5-cd68eb 1139->1142 1145 cd68b7-cd68ba 1140->1145 1146 cd68a0-cd68b5 1140->1146 1141->1139 1143 cd68ed 1142->1143 1144 cd68f0-cd68fe call cdebcc 1142->1144 1143->1144 1144->1130 1152 cd6900-cd690b SetFilePointer 1144->1152 1148 cd68bd-cd68c3 1145->1148 1146->1148 1150 cd68c8-cd68ce 1148->1150 1151 cd68c5 1148->1151 1150->1138 1153 cd68d0 1150->1153 1151->1150 1154 cd690d-cd6920 ReadFile 1152->1154 1155 cd695a-cd6969 call cdec2e 1152->1155 1153->1139 1154->1155 1156 cd6922-cd6958 1154->1156 1155->1133 1156->1133
                                                                                                                                                                APIs
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 00CD677E
                                                                                                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 00CD679A
                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 00CD67B0
                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 00CD67BF
                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 00CD67D3
                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,00000040,00CD8244,00000000,?,74DF0F10,00000000), ref: 00CD6807
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 00CD681F
                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 00CD683E
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 00CD685C
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00CD8244,00000000,?,74DF0F10,00000000), ref: 00CD688B
                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00CD6906
                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,00CD8244,00000000,?,74DF0F10,00000000), ref: 00CD691C
                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00CD6971
                                                                                                                                                                  • Part of subcall function 00CDEC2E: GetProcessHeap.KERNEL32(00000000,00CDEA27,00000000,00CDEA27,00000000), ref: 00CDEC41
                                                                                                                                                                  • Part of subcall function 00CDEC2E: RtlFreeHeap.NTDLL(00000000), ref: 00CDEC48
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1400801100-0
                                                                                                                                                                • Opcode ID: 4556907f60d0a4c94daa468777de5f9f170128096cdaaeb6a013b6e0176f7b8b
                                                                                                                                                                • Instruction ID: 5ce9231d181f5574eb9308480ae088e5322b378ff26db490e5ed19f8c61e2507
                                                                                                                                                                • Opcode Fuzzy Hash: 4556907f60d0a4c94daa468777de5f9f170128096cdaaeb6a013b6e0176f7b8b
                                                                                                                                                                • Instruction Fuzzy Hash: A4710BB1D0021DEFDF119FA5CC80AEEBBB9FB04314F10456AE625A6290E7709F92DB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1159 cdf315-cdf332 1160 cdf33b-cdf372 call cdee2a htons socket 1159->1160 1161 cdf334-cdf336 1159->1161 1165 cdf374-cdf37d closesocket 1160->1165 1166 cdf382-cdf39b ioctlsocket 1160->1166 1162 cdf424-cdf427 1161->1162 1165->1162 1167 cdf39d 1166->1167 1168 cdf3aa-cdf3f0 connect select 1166->1168 1169 cdf39f-cdf3a8 closesocket 1167->1169 1170 cdf421 1168->1170 1171 cdf3f2-cdf401 __WSAFDIsSet 1168->1171 1172 cdf423 1169->1172 1170->1172 1171->1169 1173 cdf403-cdf416 ioctlsocket call cdf26d 1171->1173 1172->1162 1175 cdf41b-cdf41f 1173->1175 1175->1172
                                                                                                                                                                APIs
                                                                                                                                                                • htons.WS2_32(00CDCA1D), ref: 00CDF34D
                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00CDF367
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 00CDF375
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                • Opcode ID: 1cb8c8d52a28566d2572bbb3ad2c9720b94622e0f79a1c6f381cd50e6b784611
                                                                                                                                                                • Instruction ID: 10fcc25ba9b092f9ee41330991f34251e80145b153ba12ce9190acf971302fb7
                                                                                                                                                                • Opcode Fuzzy Hash: 1cb8c8d52a28566d2572bbb3ad2c9720b94622e0f79a1c6f381cd50e6b784611
                                                                                                                                                                • Instruction Fuzzy Hash: F7316D72900158ABDB109FA5DC85AEF7BFCFF49314F10416AFA15D6251E7709A828BE0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1176 cd405e-cd407b CreateEventA 1177 cd407d-cd4081 1176->1177 1178 cd4084-cd40a8 call cd3ecd call cd4000 1176->1178 1183 cd40ae-cd40be call cdee2a 1178->1183 1184 cd4130-cd413e call cdee2a 1178->1184 1183->1184 1190 cd40c0-cd40f1 call cdeca5 call cd3f18 call cd3f8c 1183->1190 1189 cd413f-cd4165 call cd3ecd CreateNamedPipeA 1184->1189 1195 cd4188-cd4193 ConnectNamedPipe 1189->1195 1196 cd4167-cd4174 Sleep 1189->1196 1207 cd4127-cd412a CloseHandle 1190->1207 1208 cd40f3-cd40ff 1190->1208 1200 cd41ab-cd41c0 call cd3f8c 1195->1200 1201 cd4195-cd41a5 GetLastError 1195->1201 1196->1189 1198 cd4176-cd4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 cd41c2-cd41f2 call cd3f18 call cd3f8c 1200->1209 1201->1200 1203 cd425e-cd4265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1184 1208->1207 1211 cd4101-cd4121 call cd3f18 ExitProcess 1208->1211 1209->1203 1217 cd41f4-cd4200 1209->1217 1217->1203 1218 cd4202-cd4215 call cd3f8c 1217->1218 1218->1203 1221 cd4217-cd421b 1218->1221 1221->1203 1222 cd421d-cd4230 call cd3f8c 1221->1222 1222->1203 1225 cd4232-cd4236 1222->1225 1225->1195 1226 cd423c-cd4251 call cd3f18 1225->1226 1229 cd426a-cd4276 CloseHandle * 2 call cde318 1226->1229 1230 cd4253-cd4259 1226->1230 1232 cd427b 1229->1232 1230->1195 1232->1232
                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CD4070
                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00CD4121
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2404124870-0
                                                                                                                                                                • Opcode ID: 63b697440aeed4251717c8954feab9d987cefab98dce7a952a6f29ff866acde1
                                                                                                                                                                • Instruction ID: cd6b71c34da325717b90a6d71e56eee92181445fa43b8f47f6bbb7d64ede87e2
                                                                                                                                                                • Opcode Fuzzy Hash: 63b697440aeed4251717c8954feab9d987cefab98dce7a952a6f29ff866acde1
                                                                                                                                                                • Instruction Fuzzy Hash: 8E5183B1D40219BBEB24ABA18C86FFFBB7CEB15714F100056FB14A6291E7709B41D7A1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1233 cd2d21-cd2d44 GetModuleHandleA 1234 cd2d5b-cd2d69 GetProcAddress 1233->1234 1235 cd2d46-cd2d52 LoadLibraryA 1233->1235 1236 cd2d6b-cd2d7b DnsQuery_A 1234->1236 1237 cd2d54-cd2d56 1234->1237 1235->1234 1235->1237 1236->1237 1238 cd2d7d-cd2d88 1236->1238 1239 cd2dee-cd2df1 1237->1239 1240 cd2deb 1238->1240 1241 cd2d8a-cd2d8b 1238->1241 1240->1239 1242 cd2d90-cd2d95 1241->1242 1243 cd2d97-cd2daa GetProcessHeap HeapAlloc 1242->1243 1244 cd2de2-cd2de8 1242->1244 1245 cd2dac-cd2dd9 call cdee2a lstrcpynA 1243->1245 1246 cd2dea 1243->1246 1244->1242 1244->1246 1249 cd2ddb-cd2dde 1245->1249 1250 cd2de0 1245->1250 1246->1240 1249->1244 1250->1244
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00CD2F01,?,00CD20FF,00CE2000), ref: 00CD2D3A
                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00CD2D4A
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00CD2D61
                                                                                                                                                                • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00CD2D77
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00CD2D99
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00CD2DA0
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00CD2DCB
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                                                • API String ID: 233223969-3847274415
                                                                                                                                                                • Opcode ID: 57d19596239a07bbd40d824d24bcfcc3ca4a0b5aaa44fb28fc550bd724f855cf
                                                                                                                                                                • Instruction ID: 5b4d5ccaf0bca6bb0bf9f8cc5ede0acfe6a1772a8acea564e2decc3d8590b771
                                                                                                                                                                • Opcode Fuzzy Hash: 57d19596239a07bbd40d824d24bcfcc3ca4a0b5aaa44fb28fc550bd724f855cf
                                                                                                                                                                • Instruction Fuzzy Hash: 1E217471900625ABCB219F95DC84AAFBBB9EF18750F104056FA55E7210D7B0DA85CBE0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1251 cd80c9-cd80ed call cd6ec3 1254 cd80ef call cd7ee6 1251->1254 1255 cd80f9-cd8115 call cd704c 1251->1255 1259 cd80f4 1254->1259 1260 cd811b-cd8121 1255->1260 1261 cd8225-cd822b 1255->1261 1259->1261 1260->1261 1264 cd8127-cd812a 1260->1264 1262 cd822d-cd8233 1261->1262 1263 cd826c-cd8273 1261->1263 1262->1263 1265 cd8235-cd823f call cd675c 1262->1265 1264->1261 1266 cd8130-cd8167 call cd2544 RegOpenKeyExA 1264->1266 1269 cd8244-cd824b 1265->1269 1272 cd816d-cd818b RegQueryValueExA 1266->1272 1273 cd8216-cd8222 call cdee2a 1266->1273 1269->1263 1271 cd824d-cd8269 call cd24c2 call cdec2e 1269->1271 1271->1263 1275 cd818d-cd8191 1272->1275 1276 cd81f7-cd81fe 1272->1276 1273->1261 1275->1276 1281 cd8193-cd8196 1275->1281 1279 cd820d-cd8210 RegCloseKey 1276->1279 1280 cd8200-cd8206 call cdec2e 1276->1280 1279->1273 1289 cd820c 1280->1289 1281->1276 1285 cd8198-cd81a8 call cdebcc 1281->1285 1285->1279 1291 cd81aa-cd81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 cd81c4-cd81ca 1291->1292 1293 cd81cd-cd81d2 1292->1293 1293->1293 1294 cd81d4-cd81e5 call cdebcc 1293->1294 1294->1279 1297 cd81e7-cd81f5 call cdef00 1294->1297 1297->1289
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00CD815F
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00CDA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00CD8187
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00CDA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00CD81BE
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00CD8210
                                                                                                                                                                  • Part of subcall function 00CD675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 00CD677E
                                                                                                                                                                  • Part of subcall function 00CD675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 00CD679A
                                                                                                                                                                  • Part of subcall function 00CD675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 00CD67B0
                                                                                                                                                                  • Part of subcall function 00CD675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 00CD67BF
                                                                                                                                                                  • Part of subcall function 00CD675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 00CD67D3
                                                                                                                                                                  • Part of subcall function 00CD675C: ReadFile.KERNELBASE(000000FF,?,00000040,00CD8244,00000000,?,74DF0F10,00000000), ref: 00CD6807
                                                                                                                                                                  • Part of subcall function 00CD675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 00CD681F
                                                                                                                                                                  • Part of subcall function 00CD675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 00CD683E
                                                                                                                                                                  • Part of subcall function 00CD675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 00CD685C
                                                                                                                                                                  • Part of subcall function 00CDEC2E: GetProcessHeap.KERNEL32(00000000,00CDEA27,00000000,00CDEA27,00000000), ref: 00CDEC41
                                                                                                                                                                  • Part of subcall function 00CDEC2E: RtlFreeHeap.NTDLL(00000000), ref: 00CDEC48
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
                                                                                                                                                                • API String ID: 124786226-872712706
                                                                                                                                                                • Opcode ID: c841fb361d346efee3637bb4ac9615da9a56d4c28c11ac77d7c2697cc0dda6bb
                                                                                                                                                                • Instruction ID: d800e4247118a9a4d86e447e9221f5d874d8a7c26061e2767efb2f51adb304da
                                                                                                                                                                • Opcode Fuzzy Hash: c841fb361d346efee3637bb4ac9615da9a56d4c28c11ac77d7c2697cc0dda6bb
                                                                                                                                                                • Instruction Fuzzy Hash: 7B4160B2901149BFEB10EBA0DDC1FBE77ACAB04304F1444ABF615A6211EA709F489B51
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1300 cd1ac3-cd1adc LoadLibraryA 1301 cd1b6b-cd1b70 1300->1301 1302 cd1ae2-cd1af3 GetProcAddress 1300->1302 1303 cd1b6a 1302->1303 1304 cd1af5-cd1b01 1302->1304 1303->1301 1305 cd1b1c-cd1b27 GetAdaptersAddresses 1304->1305 1306 cd1b29-cd1b2b 1305->1306 1307 cd1b03-cd1b12 call cdebed 1305->1307 1309 cd1b2d-cd1b32 1306->1309 1310 cd1b5b-cd1b5e 1306->1310 1307->1306 1316 cd1b14-cd1b1b 1307->1316 1311 cd1b69 1309->1311 1314 cd1b34-cd1b3b 1309->1314 1310->1311 1312 cd1b60-cd1b68 call cdec2e 1310->1312 1311->1303 1312->1311 1317 cd1b3d-cd1b52 1314->1317 1318 cd1b54-cd1b59 1314->1318 1316->1305 1317->1317 1317->1318 1318->1310 1318->1314
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00CD1AD4
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00CD1AE9
                                                                                                                                                                • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00CD1B20
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                • API String ID: 3646706440-1087626847
                                                                                                                                                                • Opcode ID: e1615151d442e4a98042ff177fa72fccab77a56828a5616545d4c59f08cf2013
                                                                                                                                                                • Instruction ID: 651864599225b59e25d07bd8a57f808fae83d11af3db7edba4bc59e2666082a6
                                                                                                                                                                • Opcode Fuzzy Hash: e1615151d442e4a98042ff177fa72fccab77a56828a5616545d4c59f08cf2013
                                                                                                                                                                • Instruction Fuzzy Hash: F211D6B1E01128BFCB119BA5DC858ADBBB9EB44B10B284057E615EB241E6705F81DB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1320 cde3ca-cde3ee RegOpenKeyExA 1321 cde528-cde52d 1320->1321 1322 cde3f4-cde3fb 1320->1322 1323 cde3fe-cde403 1322->1323 1323->1323 1324 cde405-cde40f 1323->1324 1325 cde414-cde452 call cdee08 call cdf1ed RegQueryValueExA 1324->1325 1326 cde411-cde413 1324->1326 1331 cde51d-cde527 RegCloseKey 1325->1331 1332 cde458-cde486 call cdf1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 cde488-cde48a 1332->1335 1335->1331 1336 cde490-cde4a1 call cddb2e 1335->1336 1336->1331 1339 cde4a3-cde4a6 1336->1339 1340 cde4a9-cde4d3 call cdf1ed RegQueryValueExA 1339->1340 1343 cde4e8-cde4ea 1340->1343 1344 cde4d5-cde4da 1340->1344 1343->1331 1346 cde4ec-cde516 call cd2544 call cde332 1343->1346 1344->1343 1345 cde4dc-cde4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00CDE5F2,00000000,00020119,00CDE5F2,00CE22F8), ref: 00CDE3E6
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00CDE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 00CDE44E
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00CDE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 00CDE482
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00CDE5F2,?,00000000,?,80000001,?), ref: 00CDE4CF
                                                                                                                                                                • RegCloseKey.ADVAPI32(00CDE5F2,?,?,?,?,000000C8,000000E4), ref: 00CDE520
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1586453840-0
                                                                                                                                                                • Opcode ID: fbbc83bb5a25ab8186bf789f6edfa6a96f0993a5d41e2e69e6d95e1ad32f70fb
                                                                                                                                                                • Instruction ID: b8e1d39b24eccc76fbe4bba0a277c5bd563970ff63bd728205cb8cb1580c6151
                                                                                                                                                                • Opcode Fuzzy Hash: fbbc83bb5a25ab8186bf789f6edfa6a96f0993a5d41e2e69e6d95e1ad32f70fb
                                                                                                                                                                • Instruction Fuzzy Hash: B441F7B2D00219BFDF11AFE4DC85EEEBBBDFB04344F144466FA11A6250E3319A559B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1351 cdf26d-cdf303 setsockopt * 5
                                                                                                                                                                APIs
                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 00CDF2A0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 00CDF2C0
                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 00CDF2DD
                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00CDF2EC
                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00CDF2FD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                • Opcode ID: c4b05f2b64282ca42a4d32eb8f49b5b57e1d42bf131a694eba7627224fb47a6d
                                                                                                                                                                • Instruction ID: 2afd36ad1daf8c3b477471f95520477d2b992db04fbc0af4f3eef1fc35e7fcc8
                                                                                                                                                                • Opcode Fuzzy Hash: c4b05f2b64282ca42a4d32eb8f49b5b57e1d42bf131a694eba7627224fb47a6d
                                                                                                                                                                • Instruction Fuzzy Hash: DF11F8B2A40248BAEB11DF94CD85F9E7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1352 cd1bdf-cd1c04 call cd1ac3 1354 cd1c09-cd1c0b 1352->1354 1355 cd1c0d-cd1c1d GetComputerNameA 1354->1355 1356 cd1c5a-cd1c5e 1354->1356 1357 cd1c1f-cd1c24 1355->1357 1358 cd1c45-cd1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 cd1c26-cd1c3b 1357->1359 1358->1356 1359->1359 1360 cd1c3d-cd1c3f 1359->1360 1360->1358 1361 cd1c41-cd1c43 1360->1361 1361->1356
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CD1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00CD1AD4
                                                                                                                                                                  • Part of subcall function 00CD1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00CD1AE9
                                                                                                                                                                  • Part of subcall function 00CD1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00CD1B20
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00CD1C15
                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00CD1C51
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                • API String ID: 2794401326-2393279970
                                                                                                                                                                • Opcode ID: e794f870f651e9c6221e3da73a79d66afb939d9c1a937ea03da77ee6ef3ecce8
                                                                                                                                                                • Instruction ID: 2a239a9dc8089ee21abd61ad7540f9eee631c6fc32a86dbd95a0e24e8ff1e8db
                                                                                                                                                                • Opcode Fuzzy Hash: e794f870f651e9c6221e3da73a79d66afb939d9c1a937ea03da77ee6ef3ecce8
                                                                                                                                                                • Instruction Fuzzy Hash: 3C018076A50118BBEB50DEE9C8C59EFBABCAB84745F14047AEB12E2240D6709E4486A0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CD1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00CD1AD4
                                                                                                                                                                  • Part of subcall function 00CD1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00CD1AE9
                                                                                                                                                                  • Part of subcall function 00CD1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00CD1B20
                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00CD1BA3
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00CD1EFD,00000000,00000000,00000000,00000000), ref: 00CD1BB8
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2794401326-1857712256
                                                                                                                                                                • Opcode ID: f8a735ce1ccca12f53f2cc156ede7d49dacaf8a951b1b881773dd91a23a8b2bc
                                                                                                                                                                • Instruction ID: 03e5423533906c54bf443c50fe744bcf1da46bba610ce58b78a35a19d304eb26
                                                                                                                                                                • Opcode Fuzzy Hash: f8a735ce1ccca12f53f2cc156ede7d49dacaf8a951b1b881773dd91a23a8b2bc
                                                                                                                                                                • Instruction Fuzzy Hash: 15014BB6D00118BFEB009BE9CC81AEFFABDAB48650F250162AB11E7251D5705E0856E0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(00000001), ref: 00CD2693
                                                                                                                                                                • gethostbyname.WS2_32(00000001), ref: 00CD269F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                • Opcode ID: 49d702cb20a505e8d43c8675a574649ea775da9a5efdd8696aa4ddbfa145a8e0
                                                                                                                                                                • Instruction ID: 329c6dac4becbac32d450bef0874b548c8441884c645a113dbc072e22e6f5918
                                                                                                                                                                • Opcode Fuzzy Hash: 49d702cb20a505e8d43c8675a574649ea775da9a5efdd8696aa4ddbfa145a8e0
                                                                                                                                                                • Instruction Fuzzy Hash: 08E0C2306042518FCB108F28F888BC977E5EF16330F114182F660CB2A0C770DDC29780
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetTickCount.KERNEL32 ref: 00CDDD0F
                                                                                                                                                                  • Part of subcall function 00CDDD05: InterlockedExchange.KERNEL32(00CE36B4,00000001), ref: 00CDDD44
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetCurrentThreadId.KERNEL32 ref: 00CDDD53
                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,00CDA445), ref: 00CDE558
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,00CDA445), ref: 00CDE583
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,00CDA445), ref: 00CDE5B2
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3683885500-0
                                                                                                                                                                • Opcode ID: 90f6510050accc204467659080187c50f93b428e3bd6781586d1435aae01abcc
                                                                                                                                                                • Instruction ID: d84be42405f50ec2e220bd563e2c00867fedfdf2b5995333f76b0a7a745cc309
                                                                                                                                                                • Opcode Fuzzy Hash: 90f6510050accc204467659080187c50f93b428e3bd6781586d1435aae01abcc
                                                                                                                                                                • Instruction Fuzzy Hash: 8121E7B29402447AE6207A726C47F6F3A1CDB54754F10041ABF0AA93D3F961EA10A1F1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 00CD88A5
                                                                                                                                                                  • Part of subcall function 00CDF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,00CDE342,00000000,75A8EA50,80000001,00000000,00CDE513,?,00000000,00000000,?,000000E4), ref: 00CDF089
                                                                                                                                                                  • Part of subcall function 00CDF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,00CDE342,00000000,75A8EA50,80000001,00000000,00CDE513,?,00000000,00000000,?,000000E4,000000C8), ref: 00CDF093
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$FileSystem$Sleep
                                                                                                                                                                • String ID: localcfg$rresolv
                                                                                                                                                                • API String ID: 1561729337-486471987
                                                                                                                                                                • Opcode ID: 871ebe130d20f1f2a77043cbaa3a3d6008bea0ad08ec5a68d6f46832b9dc5aec
                                                                                                                                                                • Instruction ID: 64b510cc9665c9df52bb62dc073b4dd51a512b0ce95c4c9adea77847cc256009
                                                                                                                                                                • Opcode Fuzzy Hash: 871ebe130d20f1f2a77043cbaa3a3d6008bea0ad08ec5a68d6f46832b9dc5aec
                                                                                                                                                                • Instruction Fuzzy Hash: 2C21A7325483556AF314BBA56CC7B6E36ACEB44710FA4041FF7189A3C3EEE19544A1A1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,00CE22F8,00CD42B6,00000000,00000001,00CE22F8,00000000,?,00CD98FD), ref: 00CD4021
                                                                                                                                                                • GetLastError.KERNEL32(?,00CD98FD,00000001,00000100,00CE22F8,00CDA3C7), ref: 00CD402C
                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,00CD98FD,00000001,00000100,00CE22F8,00CDA3C7), ref: 00CD4046
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 408151869-0
                                                                                                                                                                • Opcode ID: 85b3e2bde55414381dcdeebb57b0c6c5a6b0f27e750a3bffbe15164896f055a9
                                                                                                                                                                • Instruction ID: cc31a749c41c538b80114cb971cf16f5b2a5127335782f3f3bc40d60873d97bc
                                                                                                                                                                • Opcode Fuzzy Hash: 85b3e2bde55414381dcdeebb57b0c6c5a6b0f27e750a3bffbe15164896f055a9
                                                                                                                                                                • Instruction Fuzzy Hash: 3CF0EC312441016FD7394B34AC89B1E3361DB81730F354B26F3B5E61E0C77069C19B55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00CDDC19,?,00000104), ref: 00CDDB7F
                                                                                                                                                                • lstrcpyA.KERNEL32(?,00CE28F8), ref: 00CDDBA4
                                                                                                                                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 00CDDBC2
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2536392590-0
                                                                                                                                                                • Opcode ID: d976afcc237430f55e107b951735e86cbcaccf800eddd8d09f11098e4e3270e2
                                                                                                                                                                • Instruction ID: 7c4af71de4e8439429474cea0df297e3580f68d30b46c15e75e30d2b18c1d24a
                                                                                                                                                                • Opcode Fuzzy Hash: d976afcc237430f55e107b951735e86cbcaccf800eddd8d09f11098e4e3270e2
                                                                                                                                                                • Instruction Fuzzy Hash: B3F09070540249BBEF209F64DD89FD93B69AB10318F204194BB91A80D0D7F2D585CB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CDEC5E
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 00CDEC72
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDEC78
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                • Opcode ID: e5226592e93b3d4e55211ff2096d3f51fb15699a2900a8ad3e05d39034e72fc0
                                                                                                                                                                • Instruction ID: 9c6ca390e070c1792c9715ef6f31bb500fef8208ad9fd428e551280d64ab7320
                                                                                                                                                                • Opcode Fuzzy Hash: e5226592e93b3d4e55211ff2096d3f51fb15699a2900a8ad3e05d39034e72fc0
                                                                                                                                                                • Instruction Fuzzy Hash: B0E09AF5810144BFE701EBB0DC8EF6F77BCFB08314F500654B911DA090DAB4AA448BA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 00CD30D8
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00CD30E2
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbynamegethostname
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3961807697-0
                                                                                                                                                                • Opcode ID: 5eba99f7d1df9d1a06d7951846837efb6cd46ad0691bff5a069fa1bbc61082df
                                                                                                                                                                • Instruction ID: 6e28b606d077367b9128c776fd29f170cf5fb5ba73e4684c251da70e7f6dc197
                                                                                                                                                                • Opcode Fuzzy Hash: 5eba99f7d1df9d1a06d7951846837efb6cd46ad0691bff5a069fa1bbc61082df
                                                                                                                                                                • Instruction Fuzzy Hash: 33E01B72901159ABCF10EBA8EC89F9B77ECFF05304F184561FA45E7255EA74F9048790
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,00CDDB55,7FFF0001), ref: 00CDEC13
                                                                                                                                                                • RtlReAllocateHeap.NTDLL(00000000,?,00CDDB55,7FFF0001), ref: 00CDEC1A
                                                                                                                                                                  • Part of subcall function 00CDEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,00CDEBFE,7FFF0001,?,00CDDB55,7FFF0001), ref: 00CDEBD3
                                                                                                                                                                  • Part of subcall function 00CDEBCC: RtlAllocateHeap.NTDLL(00000000,?,00CDDB55,7FFF0001), ref: 00CDEBDA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$AllocateProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1357844191-0
                                                                                                                                                                • Opcode ID: 57e75a780ed8b3210eb671422ba2fff782ba089ad1511e36999d8b4e58d8ae6b
                                                                                                                                                                • Instruction ID: 1888667a6b7e4f9d3f0d26cab74169660a7336a915b7d8b399a8d9318bfe402e
                                                                                                                                                                • Opcode Fuzzy Hash: 57e75a780ed8b3210eb671422ba2fff782ba089ad1511e36999d8b4e58d8ae6b
                                                                                                                                                                • Instruction Fuzzy Hash: 0AE01A32104218BBDF013BA4EC49BAD3B59EB44362F108017FA0D8D271CB729A90EAD8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CDEBA0: GetProcessHeap.KERNEL32(00000000,00000000,00CDEC0A,00000000,80000001,?,00CDDB55,7FFF0001), ref: 00CDEBAD
                                                                                                                                                                  • Part of subcall function 00CDEBA0: HeapSize.KERNEL32(00000000,?,00CDDB55,7FFF0001), ref: 00CDEBB4
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00CDEA27,00000000,00CDEA27,00000000), ref: 00CDEC41
                                                                                                                                                                • RtlFreeHeap.NTDLL(00000000), ref: 00CDEC48
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$FreeSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1305341483-0
                                                                                                                                                                • Opcode ID: 4ddac468e379599b947a552967326ff080a7d2dc8e1a3122b5fa6b80d7f5ca43
                                                                                                                                                                • Instruction ID: 819de881178a757f88354f5e4934e3dd3d8f43848ed1f840b2b330e02a0df781
                                                                                                                                                                • Opcode Fuzzy Hash: 4ddac468e379599b947a552967326ff080a7d2dc8e1a3122b5fa6b80d7f5ca43
                                                                                                                                                                • Instruction Fuzzy Hash: 05C01232406270ABC5513750BC4DF9F6B189F45711F19040EF5056E160C7A068804AE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,00CDEBFE,7FFF0001,?,00CDDB55,7FFF0001), ref: 00CDEBD3
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00CDDB55,7FFF0001), ref: 00CDEBDA
                                                                                                                                                                  • Part of subcall function 00CDEB74: GetProcessHeap.KERNEL32(00000000,00000000,00CDEC28,00000000,?,00CDDB55,7FFF0001), ref: 00CDEB81
                                                                                                                                                                  • Part of subcall function 00CDEB74: HeapSize.KERNEL32(00000000,?,00CDDB55,7FFF0001), ref: 00CDEB88
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$AllocateSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2559512979-0
                                                                                                                                                                • Opcode ID: ebc6843fad8d6f9be1a53113a4e81249a18936e092a5593f8f2e381112cf2678
                                                                                                                                                                • Instruction ID: 946a174d4964642e60518cbc8957f743812ad5c8d877289f666a931ffeb63942
                                                                                                                                                                • Opcode Fuzzy Hash: ebc6843fad8d6f9be1a53113a4e81249a18936e092a5593f8f2e381112cf2678
                                                                                                                                                                • Instruction Fuzzy Hash: 6CC08C32208360BBC61137E4BC0CF9E3E98EF083A2F14000AF609CE270CB7048808BE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • recv.WS2_32(000000C8,?,00000000,00CDCA44), ref: 00CDF476
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: recv
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1507349165-0
                                                                                                                                                                • Opcode ID: 7ce263f62e1cbb5bcae88e3945b659b917c015f3d38ca7a9197c553a866fbbb0
                                                                                                                                                                • Instruction ID: 8b87f05911e79d40228dc78b1c867183e7248b7f1dfa7b5e91c8f79c3a9194c2
                                                                                                                                                                • Opcode Fuzzy Hash: 7ce263f62e1cbb5bcae88e3945b659b917c015f3d38ca7a9197c553a866fbbb0
                                                                                                                                                                • Instruction Fuzzy Hash: F0F08C3220014ABB9B01AE9ADC84CAB3BAEFB893107040126FB15D7210D631E8628BA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 00CD1992
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: closesocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2781271927-0
                                                                                                                                                                • Opcode ID: 7fe2bb7a3e5710432f6addd7aa7330ebf9dda4e04cc5423fbada7a57e257da5d
                                                                                                                                                                • Instruction ID: df0866d236ec63cb09664d9e9f63acebc474eb5eed20a3d8a777f0aef5b70840
                                                                                                                                                                • Opcode Fuzzy Hash: 7fe2bb7a3e5710432f6addd7aa7330ebf9dda4e04cc5423fbada7a57e257da5d
                                                                                                                                                                • Instruction Fuzzy Hash: 85D022222082313A42002318BC0457FABCCDF04262710802BFE48C0210C730CC8283D1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmpiA.KERNEL32(80000011,00000000), ref: 00CDDDB5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1586166983-0
                                                                                                                                                                • Opcode ID: bb628b5476d53b10703df2b01e1a7f5b3f7a8d127ebd4e41ae9405c8bdc2f8b2
                                                                                                                                                                • Instruction ID: c201a55bbae0018cba0ff5955ffb7cd929e077c953035d04e681161e296ab6a6
                                                                                                                                                                • Opcode Fuzzy Hash: bb628b5476d53b10703df2b01e1a7f5b3f7a8d127ebd4e41ae9405c8bdc2f8b2
                                                                                                                                                                • Instruction Fuzzy Hash: 64F08231A00342CBCF20CE29A884756B3EAEB49325F14483FE366D2290DB30DD55CB71
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00CD9816,EntryPoint), ref: 00CD638F
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00CD9816,EntryPoint), ref: 00CD63A9
                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00CD63CA
                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00CD63EB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                • Opcode ID: 14e94acc1e3245059de862e34d347eda2e7275b60175ba93a70df495384c216c
                                                                                                                                                                • Instruction ID: a8644fccdaa5cdaac510d17267c5c30c99a8cad54ec55b28c206b356fd1d6242
                                                                                                                                                                • Opcode Fuzzy Hash: 14e94acc1e3245059de862e34d347eda2e7275b60175ba93a70df495384c216c
                                                                                                                                                                • Instruction Fuzzy Hash: F21173B2600259BFDB119F65DC49F9F3BA8EB047A5F114025FA19EB390D671DD00CAB0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00CD1839,00CD9646), ref: 00CD1012
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 00CD10C2
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 00CD10E1
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00CD1101
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00CD1121
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00CD1140
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00CD1160
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00CD1180
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 00CD119F
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 00CD11BF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 00CD11DF
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 00CD11FE
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 00CD121A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                • Opcode ID: ae2c08237d149f157cfc0b1e3a86617607c3880049a28e42c18a803bc3090619
                                                                                                                                                                • Instruction ID: 0a2f0a3c5d8f0e5726902053f7d668a7dbf7c8a295a89587268d3fa6ae0705b1
                                                                                                                                                                • Opcode Fuzzy Hash: ae2c08237d149f157cfc0b1e3a86617607c3880049a28e42c18a803bc3090619
                                                                                                                                                                • Instruction Fuzzy Hash: CF515E72546AC1BAD7109B69ACC876A36A86748320F1D03679A30DB2F1D7F4EBC1CB51
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 00CDB2B3
                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 00CDB2C2
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 00CDB2D0
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 00CDB2E1
                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 00CDB31A
                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 00CDB329
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDB3B7
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                • Opcode ID: 9b08eac1ad69ca733c2ef1cba2dc974abce9ae1560f3fe3efb9bea7a5a1e7971
                                                                                                                                                                • Instruction ID: f48c264d208a0fc78ee5c9c93931de0c8f1d3a2f5fc33617b218c8e49c2db321
                                                                                                                                                                • Opcode Fuzzy Hash: 9b08eac1ad69ca733c2ef1cba2dc974abce9ae1560f3fe3efb9bea7a5a1e7971
                                                                                                                                                                • Instruction Fuzzy Hash: 10513DB1D0025DEACF14DFD6D8859EEBBB9FF48304F30412AE611AA250D7B44AC9DB91
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                • Opcode ID: d92f057b3b31abd3a65eda5cf9641761cc5b67c3565d4e89356dfdc94a6ac505
                                                                                                                                                                • Instruction ID: 18f88075e0eff88f2a692547fb252a3f29f9183866cf95c2a4276c4cc8b5d199
                                                                                                                                                                • Opcode Fuzzy Hash: d92f057b3b31abd3a65eda5cf9641761cc5b67c3565d4e89356dfdc94a6ac505
                                                                                                                                                                • Instruction Fuzzy Hash: A2615F72940248AFDB609FB4DC45FEA77F9FF08300F24406AFA69D6261DA719980CF50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDA7FB
                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 00CDA87E
                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 00CDA893
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDA8AF
                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 00CDA8D2
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDA8E2
                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 00CDA97C
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDA9B9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                • Opcode ID: 3febfa8e9dfcd2d55e799baacc22e771e7a8e619752347c423964bbe3f8c1741
                                                                                                                                                                • Instruction ID: ce45c38744d5b3f86d2b4888d5a21d244dff474b773660349dd683d184a5a8ba
                                                                                                                                                                • Opcode Fuzzy Hash: 3febfa8e9dfcd2d55e799baacc22e771e7a8e619752347c423964bbe3f8c1741
                                                                                                                                                                • Instruction Fuzzy Hash: DCA12671904385BBDF209B54DC85FBE3769FB00304F240427FB05AA2D1DAB19E89AB97
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00CD139A
                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00CD1571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                                                                                                • API String ID: 1628651668-179334549
                                                                                                                                                                • Opcode ID: 724cc42b3f91bf63809c3fb8363bb14cfefd2ee7b3745f2f84587c36295e77a0
                                                                                                                                                                • Instruction ID: aa072d1041c8f9e69cff2ad201402f7384d55926b21432634c7e731e30951898
                                                                                                                                                                • Opcode Fuzzy Hash: 724cc42b3f91bf63809c3fb8363bb14cfefd2ee7b3745f2f84587c36295e77a0
                                                                                                                                                                • Instruction Fuzzy Hash: 68F16EB5508381AFD320DF64C8C8B6AB7E5FB88304F18491EFA969B3A1D774D944CB52
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00CD2A83
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00CD2A86
                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00CD2AA0
                                                                                                                                                                • htons.WS2_32(00000000), ref: 00CD2ADB
                                                                                                                                                                • select.WS2_32 ref: 00CD2B28
                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00CD2B4A
                                                                                                                                                                • htons.WS2_32(?), ref: 00CD2B71
                                                                                                                                                                • htons.WS2_32(?), ref: 00CD2B8C
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00CD2BFB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1639031587-0
                                                                                                                                                                • Opcode ID: dca5c3e40ebd066a7e577cdd7bb933fcf2f51f9964ead35448e4cfbce7080981
                                                                                                                                                                • Instruction ID: d6b3c8408c48dea6944e6b461c604eb5b3883daf153e81e25f57f4adba4d1e20
                                                                                                                                                                • Opcode Fuzzy Hash: dca5c3e40ebd066a7e577cdd7bb933fcf2f51f9964ead35448e4cfbce7080981
                                                                                                                                                                • Instruction Fuzzy Hash: 5961E4719043459FD720AF65DC48B6FBBE8FBA8751F10080AFA999B350D7B0DD809BA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 00CD70C2
                                                                                                                                                                • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 00CD719E
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 00CD71B2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00CD7208
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00CD7291
                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 00CD72C2
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00CD72D0
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00CD7314
                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00CD738D
                                                                                                                                                                • RegCloseKey.ADVAPI32(74DF0F10), ref: 00CD73D8
                                                                                                                                                                  • Part of subcall function 00CDF1A5: lstrlenA.KERNEL32(000000C8,000000E4,00CE22F8,000000C8,00CD7150,?), ref: 00CDF1AD
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                • String ID: $"
                                                                                                                                                                • API String ID: 4293430545-3817095088
                                                                                                                                                                • Opcode ID: e202715904e92df85a3553fbc9d642b67f10768251f9508d04f50e8e648fffdc
                                                                                                                                                                • Instruction ID: b1c89f9403a4c8543b12a34722f595803d94edc9a0fc420f12dd114cb3bb1638
                                                                                                                                                                • Opcode Fuzzy Hash: e202715904e92df85a3553fbc9d642b67f10768251f9508d04f50e8e648fffdc
                                                                                                                                                                • Instruction Fuzzy Hash: D9B17172908249AADF15EFA4DC45BEF77B8EF04300F200667F615E6290FB759A84DB60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00CDAD98
                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CDADA6
                                                                                                                                                                  • Part of subcall function 00CDAD08: gethostname.WS2_32(?,00000080), ref: 00CDAD1C
                                                                                                                                                                  • Part of subcall function 00CDAD08: lstrlenA.KERNEL32(00000000), ref: 00CDAD60
                                                                                                                                                                  • Part of subcall function 00CDAD08: lstrlenA.KERNEL32(00000000), ref: 00CDAD69
                                                                                                                                                                  • Part of subcall function 00CDAD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 00CDAD7F
                                                                                                                                                                  • Part of subcall function 00CD30B5: gethostname.WS2_32(?,00000080), ref: 00CD30D8
                                                                                                                                                                  • Part of subcall function 00CD30B5: gethostbyname.WS2_32(?), ref: 00CD30E2
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDAEA5
                                                                                                                                                                  • Part of subcall function 00CDA7A3: inet_ntoa.WS2_32(?), ref: 00CDA7A9
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDAE4F
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDAE5E
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 00CDEF92
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(?), ref: 00CDEF99
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(00000000), ref: 00CDEFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                • Opcode ID: b3846f7593954388651100ce2e74df3cb036e8d05727fe4f2693968d047ba608
                                                                                                                                                                • Instruction ID: 9af1429e0c98b889f1f77c24ab20264308c0974e11f8d6f3b6efe2505919caa5
                                                                                                                                                                • Opcode Fuzzy Hash: b3846f7593954388651100ce2e74df3cb036e8d05727fe4f2693968d047ba608
                                                                                                                                                                • Instruction Fuzzy Hash: EC4141B290024CBBDF25FFA1CC46EEF3BADFB08300F240426BA1596251EA71D654DB61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2E01
                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2E11
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00CD2E2E
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2E4C
                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2E4F
                                                                                                                                                                • htons.WS2_32(00000035), ref: 00CD2E88
                                                                                                                                                                • inet_addr.WS2_32(?), ref: 00CD2E93
                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00CD2EA6
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2EE3
                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00CD2F0F,?,00CD20FF,00CE2000), ref: 00CD2EE6
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                                                • API String ID: 929413710-2099955842
                                                                                                                                                                • Opcode ID: a8537e49f6134cbbc4a69cd45b7862b76f08653d8ea344de24a1a0b9712d20c5
                                                                                                                                                                • Instruction ID: 456239582c6b9f890556428a9818206b5adfa0be8c19d3510d8a7600b4f2e7c2
                                                                                                                                                                • Opcode Fuzzy Hash: a8537e49f6134cbbc4a69cd45b7862b76f08653d8ea344de24a1a0b9712d20c5
                                                                                                                                                                • Instruction Fuzzy Hash: 9B31CA71900645ABDF119BB89C88B6F77B8EF24362F240116FA24EB7D0D770DE819B90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00CD9DD7,?,00000022,?,?,00000000,00000001), ref: 00CD9340
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00CD9DD7,?,00000022,?,?,00000000,00000001), ref: 00CD936E
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00CD9DD7,?,00000022,?,?,00000000,00000001), ref: 00CD9375
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD93CE
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD940C
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD948D
                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00CD94F1
                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00CD9526
                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00CD9571
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                • String ID: runas
                                                                                                                                                                • API String ID: 3696105349-4000483414
                                                                                                                                                                • Opcode ID: 22054fc6502cbd8d4850efaa61667cd70731e5a4a660a2cd228038eee8244dfe
                                                                                                                                                                • Instruction ID: 6790bb1e6c6e17202074166e3bdf962e5f213896dd8d91a8a6c2163f7e96b7ad
                                                                                                                                                                • Opcode Fuzzy Hash: 22054fc6502cbd8d4850efaa61667cd70731e5a4a660a2cd228038eee8244dfe
                                                                                                                                                                • Instruction Fuzzy Hash: 5EA182B2940248AFEB25DFA1DC85FDE3BACEB04740F100027FA1596252E775DA85DBA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • wsprintfA.USER32 ref: 00CDB467
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 00CDEF92
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(?), ref: 00CDEF99
                                                                                                                                                                  • Part of subcall function 00CDEF7C: lstrlenA.KERNEL32(00000000), ref: 00CDEFA0
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                • Opcode ID: f534e4cd351be335adb8efdad5e77f2d03bac7bd56fe115111bb6dcfd9772b59
                                                                                                                                                                • Instruction ID: b274e7d40877e65ca2181b35b99d1b40fbc5f9ea9a206484ac61c6110e17d032
                                                                                                                                                                • Opcode Fuzzy Hash: f534e4cd351be335adb8efdad5e77f2d03bac7bd56fe115111bb6dcfd9772b59
                                                                                                                                                                • Instruction Fuzzy Hash: 3E416DB254011C7EDF01BBE5CCC2DBF7B6DEF49748B240126FA04A6242DB70AE55A7A1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD2078
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD20D4
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD20DB
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD212B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD2132
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD2142
                                                                                                                                                                  • Part of subcall function 00CDF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,00CDE342,00000000,75A8EA50,80000001,00000000,00CDE513,?,00000000,00000000,?,000000E4), ref: 00CDF089
                                                                                                                                                                  • Part of subcall function 00CDF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,00CDE342,00000000,75A8EA50,80000001,00000000,00CDE513,?,00000000,00000000,?,000000E4,000000C8), ref: 00CDF093
                                                                                                                                                                  • Part of subcall function 00CDE854: lstrcpyA.KERNEL32(00000001,?,?,00CDD8DF,00000001,localcfg,except_info,00100000,00CE0264), ref: 00CDE88B
                                                                                                                                                                  • Part of subcall function 00CDE854: lstrlenA.KERNEL32(00000001,?,00CDD8DF,00000001,localcfg,except_info,00100000,00CE0264), ref: 00CDE899
                                                                                                                                                                  • Part of subcall function 00CD1C5F: wsprintfA.USER32 ref: 00CD1CE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                • Opcode ID: ae2cca885c797eebabb0d6b1e28503fa64604fb32643fcce1ed8397a692e920a
                                                                                                                                                                • Instruction ID: 121655c3f813c99bc84c4915c0e416f56e9579f4329096659956476ae6c33f2a
                                                                                                                                                                • Opcode Fuzzy Hash: ae2cca885c797eebabb0d6b1e28503fa64604fb32643fcce1ed8397a692e920a
                                                                                                                                                                • Instruction Fuzzy Hash: A55106709043855EE739EF24ED86B1E7BE9AB50320F10042FE7519A2E1DBB4AA44E651
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CDA4C7: GetTickCount.KERNEL32 ref: 00CDA4D1
                                                                                                                                                                  • Part of subcall function 00CDA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 00CDA4FA
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDC31F
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDC32B
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDC363
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDC378
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDC44D
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00CDC4E4), ref: 00CDC4AE
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00CDB535,00000000,?,00CDC4E0), ref: 00CDC4C1
                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00CDC4E0,00CE3588,00CD8810), ref: 00CDC4CC
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                • Opcode ID: b694e618c59729e7ad58d38841d0c458904f10df3a79a85763829df01b4385f7
                                                                                                                                                                • Instruction ID: 6e119db54acf47a3a724a0cb4d26440b183f70f4a6d435569042eb9fb9fdb500
                                                                                                                                                                • Opcode Fuzzy Hash: b694e618c59729e7ad58d38841d0c458904f10df3a79a85763829df01b4385f7
                                                                                                                                                                • Instruction Fuzzy Hash: BB513DB1500B428FD7249F6AC5D562ABBE9FB48300B50993EE29BC7BA0D774F944CB50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 00CDBE4F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 00CDBE5B
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 00CDBE67
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 00CDBF6A
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 00CDBF7F
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 00CDBF94
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                • API String ID: 1586166983-1625972887
                                                                                                                                                                • Opcode ID: 84247a1987026a40d9ffe85052e2bd0c035cff011686a75b36b60900dc31b70e
                                                                                                                                                                • Instruction ID: 8a675b56f2beea07e26b37bf962e5a4f3f996a8ae603ccd3f6d115a913ce1ada
                                                                                                                                                                • Opcode Fuzzy Hash: 84247a1987026a40d9ffe85052e2bd0c035cff011686a75b36b60900dc31b70e
                                                                                                                                                                • Instruction Fuzzy Hash: 1C51C075A0065AEFDB119BA5CC81BAEBBB9AF44344F114067EA41AB351D730EE40CF90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6A7D
                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00CD9E9D,00CD9A60,?,?,?,00CE22F8,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6ABB
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B40
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B4E
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B5F
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B6F
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B7D
                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00CD9A60,?,?,00CD9E9D), ref: 00CD6B80
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00CD9A60,?,?,00CD9E9D,?,?,?,?,?,00CD9E9D,?,00000022,?), ref: 00CD6B96
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3188212458-0
                                                                                                                                                                • Opcode ID: e3346882926643b883b206e738793c5fbfe0ad1596002c481d7ccdb5038c4ac6
                                                                                                                                                                • Instruction ID: a6711d981bc86f41d0f7d7a7e0d46382eb1f239986a0d71bdfd344b26baa9b8a
                                                                                                                                                                • Opcode Fuzzy Hash: e3346882926643b883b206e738793c5fbfe0ad1596002c481d7ccdb5038c4ac6
                                                                                                                                                                • Instruction Fuzzy Hash: 6531A2B2900289BFDB01AFA48C85BDEBB79EB44310F144067E361EB351D7709A45EBA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetUserNameA.ADVAPI32(?,00CDD7C3), ref: 00CD6F7A
                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,00CDD7C3), ref: 00CD6FC1
                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00CD6FE8
                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 00CD701F
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD7036
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                • Opcode ID: 19ebde694f1d1130ffe1a391bfe16dd2e72ebc95e749858532e3250ae5c0747e
                                                                                                                                                                • Instruction ID: 41c205f6fe83794a83e43b75cf02c412641d3ddce44de3552fca3638c9d36a1e
                                                                                                                                                                • Opcode Fuzzy Hash: 19ebde694f1d1130ffe1a391bfe16dd2e72ebc95e749858532e3250ae5c0747e
                                                                                                                                                                • Instruction Fuzzy Hash: 92311A72904208ABDB01DFA9D849BDE7BBCEF04314F148166F959DB241EA75EB08CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,00CE22F8,000000E4,00CD6DDC,000000C8), ref: 00CD6CE7
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00CD6CEE
                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00CD6D14
                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00CD6D2B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                                                • API String ID: 1082366364-3395550214
                                                                                                                                                                • Opcode ID: 2fe3cf870bed5989482c0d2019651b850efe986e2d4cd18304aa1954a70c424d
                                                                                                                                                                • Instruction ID: a7329de586789c59789c23790ea7f2d2ec0f7e11a7d06d3edbc5c51c3accd65d
                                                                                                                                                                • Opcode Fuzzy Hash: 2fe3cf870bed5989482c0d2019651b850efe986e2d4cd18304aa1954a70c424d
                                                                                                                                                                • Instruction Fuzzy Hash: D62123517402D83AF72167326CC9F7B6E5E8B52701F1C005AFB04AF291CAD88986D2F6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00CD9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,00CE22F8), ref: 00CD97B1
                                                                                                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,00CE22F8), ref: 00CD97EB
                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00CE22F8), ref: 00CD97F9
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,00CE22F8), ref: 00CD9831
                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,00CE22F8), ref: 00CD984E
                                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CE22F8), ref: 00CD985B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                • String ID: D
                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                • Opcode ID: 1cdfe5f7b117f519cc35b3f261f5b9a6c2c364279948f331524d2d27c83a4b31
                                                                                                                                                                • Instruction ID: cd55c3fc2eb4f5f50a2a1d452d889fb29b840e7a8eeb07474c3221be59bbde1f
                                                                                                                                                                • Opcode Fuzzy Hash: 1cdfe5f7b117f519cc35b3f261f5b9a6c2c364279948f331524d2d27c83a4b31
                                                                                                                                                                • Instruction Fuzzy Hash: 0E211B71901219BBDB119FA1DC89FEFBBBCEF09750F100062FA19E9150EB709A44DAA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetTickCount.KERNEL32 ref: 00CDDD0F
                                                                                                                                                                  • Part of subcall function 00CDDD05: InterlockedExchange.KERNEL32(00CE36B4,00000001), ref: 00CDDD44
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetCurrentThreadId.KERNEL32 ref: 00CDDD53
                                                                                                                                                                  • Part of subcall function 00CDDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 00CDDDB5
                                                                                                                                                                • lstrcpynA.KERNEL32(?,00CD1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,00CDEAAA,?,?), ref: 00CDE8DE
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,00CDEAAA,?,?,00000001,?,00CD1E84,?), ref: 00CDE935
                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,00CDEAAA,?,?,00000001,?,00CD1E84,?,0000000A), ref: 00CDE93D
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,00CDEAAA,?,?,00000001,?,00CD1E84,?), ref: 00CDE94F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                • Opcode ID: a791567503e53ff6c7c70abc4bbbe95bf3fbf8cfdd9c4fdc32afbd87ebc83b7c
                                                                                                                                                                • Instruction ID: 83ee29555c9682c880990d24661080986d65a575d2b0f9988148790d7ffb736e
                                                                                                                                                                • Opcode Fuzzy Hash: a791567503e53ff6c7c70abc4bbbe95bf3fbf8cfdd9c4fdc32afbd87ebc83b7c
                                                                                                                                                                • Instruction Fuzzy Hash: EC513D7290020AAFCF11EFA8C9859AEBBF9FF48304F14456AF515A7211D774EA149B60
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Code
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                • Opcode ID: 136c0b2da00dd1206fe3c8e9f11de98b1bd60a9e0ff21b879f7b8e68fc882643
                                                                                                                                                                • Instruction ID: 7c3adbafe4aa7ca532dcd332fe921e147c1ab8516f01b370eeb353d9beae83ca
                                                                                                                                                                • Opcode Fuzzy Hash: 136c0b2da00dd1206fe3c8e9f11de98b1bd60a9e0ff21b879f7b8e68fc882643
                                                                                                                                                                • Instruction Fuzzy Hash: F8219072114105FFDB11ABB1ED89FAF3B6CDB84360B204417F642E5190EB71DA40E6B4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,00CE22F8), ref: 00CD907B
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD90E9
                                                                                                                                                                • CreateFileA.KERNEL32(00CE22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CD910E
                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00CD9122
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 00CD912D
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00CD9134
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                • Opcode ID: 4cf97895b73ceb6d485da1f29d534cb42cbf5f4dc4a824142ca0fed61a9a29e1
                                                                                                                                                                • Instruction ID: 70ed27b5ae3c7d277c8df21573f046d0e643cfdf1b05c4d3d71ca4811ee0630f
                                                                                                                                                                • Opcode Fuzzy Hash: 4cf97895b73ceb6d485da1f29d534cb42cbf5f4dc4a824142ca0fed61a9a29e1
                                                                                                                                                                • Instruction Fuzzy Hash: CF11B9B66401547BFB247732DC4EFAF367DDBC4B10F108066BB0AE9191EAB04E4197A0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDDD0F
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00CDDD20
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDDD2E
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,00CDE538,?,74DF0F10,?,00000000,?,00CDA445), ref: 00CDDD3B
                                                                                                                                                                • InterlockedExchange.KERNEL32(00CE36B4,00000001), ref: 00CDDD44
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00CDDD53
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                • Opcode ID: c3a5019f5ffe8a4a02a246ba45edcae207e4b9a7e96d7f2363f0b2619d4f4587
                                                                                                                                                                • Instruction ID: 277ad8e6cef8bfb853be676967131d9280e9b6b9f48280052b7ad529d7b573ff
                                                                                                                                                                • Opcode Fuzzy Hash: c3a5019f5ffe8a4a02a246ba45edcae207e4b9a7e96d7f2363f0b2619d4f4587
                                                                                                                                                                • Instruction Fuzzy Hash: F2F089715041C4AFDB809B75ACC8B3D7B6AF744312F200017F60ACB361C76065858FB1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 00CDAD1C
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 00CDAD60
                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 00CDAD69
                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 00CDAD7F
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                • Opcode ID: c38e7d32a2808e818c70e1ff5a993641cc9ce653d4fa425c75352a376578b725
                                                                                                                                                                • Instruction ID: 7ee9bf676aa496e34ba98dc36a1ab335c1a2ea2058583ecbc95a2c045e41d321
                                                                                                                                                                • Opcode Fuzzy Hash: c38e7d32a2808e818c70e1ff5a993641cc9ce653d4fa425c75352a376578b725
                                                                                                                                                                • Instruction Fuzzy Hash: 7B0168208441C95DDF315728C885BB83F77AB97706F20005BE6D0CB726EBA4898383A3
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00CD98FD,00000001,00000100,00CE22F8,00CDA3C7), ref: 00CD4290
                                                                                                                                                                • CloseHandle.KERNEL32(00CDA3C7), ref: 00CD43AB
                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 00CD43AE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1371578007-0
                                                                                                                                                                • Opcode ID: 2ec2e53c3d4e7015c6e6341c87689e6ed3ed380cfa9ca461c21133be06f6e844
                                                                                                                                                                • Instruction ID: c1923492b132588205fce2140a61531ec8dfeb3ab84b8c524a7b92cbf73da32b
                                                                                                                                                                • Opcode Fuzzy Hash: 2ec2e53c3d4e7015c6e6341c87689e6ed3ed380cfa9ca461c21133be06f6e844
                                                                                                                                                                • Instruction Fuzzy Hash: 0E418DB1C00249BBDF10ABA5CD86FAFBBB8EF40324F204556F714A6291D7749A41DBA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,00CD64CF,00000000), ref: 00CD609C
                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,00CD64CF,00000000), ref: 00CD60C3
                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 00CD614A
                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 00CD619E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                • Opcode ID: db1c3c620ddf802370bbf25632feec1ae8d619b15e6cef6cebf1ef2f324f7280
                                                                                                                                                                • Instruction ID: 06f877c566fc587a7f4ed6b518bf98dabb49ede66d6877d95b765152f53fe3f7
                                                                                                                                                                • Opcode Fuzzy Hash: db1c3c620ddf802370bbf25632feec1ae8d619b15e6cef6cebf1ef2f324f7280
                                                                                                                                                                • Instruction Fuzzy Hash: 01415C71A00106EFDB14CF69C884BADB7B5EF14354F24816AEA25DB391D730EE41DB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 40af98087a2132fca3339ef540c9bd2eb0974167aa7726450d9223603cd9122d
                                                                                                                                                                • Instruction ID: bc8cdbe3424f51c1260122d1294334d10f976a596f2b17ff9b6b2bf3eb346065
                                                                                                                                                                • Opcode Fuzzy Hash: 40af98087a2132fca3339ef540c9bd2eb0974167aa7726450d9223603cd9122d
                                                                                                                                                                • Instruction Fuzzy Hash: A9318D71A00218ABCB219FA5CC81BBEB7F4EF58701F104457EA59EA251E274DA41AB64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD272E
                                                                                                                                                                • htons.WS2_32(00000001), ref: 00CD2752
                                                                                                                                                                • htons.WS2_32(0000000F), ref: 00CD27D5
                                                                                                                                                                • htons.WS2_32(00000001), ref: 00CD27E3
                                                                                                                                                                • sendto.WS2_32(?,00CE2BF8,00000009,00000000,00000010,00000010), ref: 00CD2802
                                                                                                                                                                  • Part of subcall function 00CDEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,00CDEBFE,7FFF0001,?,00CDDB55,7FFF0001), ref: 00CDEBD3
                                                                                                                                                                  • Part of subcall function 00CDEBCC: RtlAllocateHeap.NTDLL(00000000,?,00CDDB55,7FFF0001), ref: 00CDEBDA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1128258776-0
                                                                                                                                                                • Opcode ID: 487463ca9473b34ca8c463a400084f1bd29f99ccdfbf5483c2d0b578e1634922
                                                                                                                                                                • Instruction ID: 4d5a31b4e523c84c68e113a9f974289380996cf58f5a6fdbe227a645ae8f0076
                                                                                                                                                                • Opcode Fuzzy Hash: 487463ca9473b34ca8c463a400084f1bd29f99ccdfbf5483c2d0b578e1634922
                                                                                                                                                                • Instruction Fuzzy Hash: 0F3138342443CA9FE7308F74DCC1B697768EF29314B2A406EE966CF322D6729882D750
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,00CE22F8), ref: 00CD915F
                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00CD9166
                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 00CD9174
                                                                                                                                                                • wsprintfA.USER32 ref: 00CD91A9
                                                                                                                                                                  • Part of subcall function 00CD9064: GetTempPathA.KERNEL32(00000400,?,00000000,00CE22F8), ref: 00CD907B
                                                                                                                                                                  • Part of subcall function 00CD9064: wsprintfA.USER32 ref: 00CD90E9
                                                                                                                                                                  • Part of subcall function 00CD9064: CreateFileA.KERNEL32(00CE22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CD910E
                                                                                                                                                                  • Part of subcall function 00CD9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00CD9122
                                                                                                                                                                  • Part of subcall function 00CD9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 00CD912D
                                                                                                                                                                  • Part of subcall function 00CD9064: CloseHandle.KERNEL32(00000000), ref: 00CD9134
                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00CD91E1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                • Opcode ID: bd299e3aeb175e165902481629898d7461f3be6fe20d6aaa74e72d9b5a75314e
                                                                                                                                                                • Instruction ID: b3fd38de8a2aeadfcbe5dd8999d96591126887ba751edf70b2db91f4f1c648cf
                                                                                                                                                                • Opcode Fuzzy Hash: bd299e3aeb175e165902481629898d7461f3be6fe20d6aaa74e72d9b5a75314e
                                                                                                                                                                • Instruction Fuzzy Hash: 520152F69001587BDB20A7619D89FDF777CDB95701F0000A2B749EA140E6B097C58FB0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00CD2491,?,?,?,00CDE844,-00000030,?,?,?,00000001), ref: 00CD2429
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00CD2491,?,?,?,00CDE844,-00000030,?,?,?,00000001,00CD1E3D,00000001,localcfg,lid_file_upd), ref: 00CD243E
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00CD2452
                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00CD2491,?,?,?,00CDE844,-00000030,?,?,?,00000001,00CD1E3D,00000001,localcfg,lid_file_upd), ref: 00CD2467
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                • Opcode ID: 373d9ad95c03919f5fa3c94e7592d6f1233293aaf65495ba64cae04e2613f368
                                                                                                                                                                • Instruction ID: 68a695e9dcee42a1d9894339c95019190a5ab011582349ea20b9368535d0a6a9
                                                                                                                                                                • Opcode Fuzzy Hash: 373d9ad95c03919f5fa3c94e7592d6f1233293aaf65495ba64cae04e2613f368
                                                                                                                                                                • Instruction Fuzzy Hash: 68011A31600218AF8F11EF69CC819DE7BA9EF54364B11C426ED6997210E370EE418E90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                • Opcode ID: cc6314347c42c3c1e004ebbcf50e15389a53ba6b6e097cd5ff2fb005ce481184
                                                                                                                                                                • Instruction ID: cfea7e489dcdff66efb5517525993ac1ffec125e66a320360e22952ce0823063
                                                                                                                                                                • Opcode Fuzzy Hash: cc6314347c42c3c1e004ebbcf50e15389a53ba6b6e097cd5ff2fb005ce481184
                                                                                                                                                                • Instruction Fuzzy Hash: 4441AF72904298AFDB32DFB98C44BEE7BE99F49310F240056FE64D7252D634DA05CBA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetTickCount.KERNEL32 ref: 00CDDD0F
                                                                                                                                                                  • Part of subcall function 00CDDD05: InterlockedExchange.KERNEL32(00CE36B4,00000001), ref: 00CDDD44
                                                                                                                                                                  • Part of subcall function 00CDDD05: GetCurrentThreadId.KERNEL32 ref: 00CDDD53
                                                                                                                                                                • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00CD5EC1), ref: 00CDE693
                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00CD5EC1), ref: 00CDE6E9
                                                                                                                                                                • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,00CD5EC1), ref: 00CDE722
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                • String ID: 89ABCDEF
                                                                                                                                                                • API String ID: 3343386518-71641322
                                                                                                                                                                • Opcode ID: 82c7dd011858fdbec955e9e67909e60239e47c0140dc1b19eebe09607357de2a
                                                                                                                                                                • Instruction ID: 065b0089ef00f820b0c12c7c98ddc0c4fbfa697ea191d1aca62d2afef2df5778
                                                                                                                                                                • Opcode Fuzzy Hash: 82c7dd011858fdbec955e9e67909e60239e47c0140dc1b19eebe09607357de2a
                                                                                                                                                                • Instruction Fuzzy Hash: 2031BE31600759DBCF31AF65D884B6A77E8AB20320F10442FF6698F690E770EE81CB91
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,00CDE2A3,00000000,00000000,00000000,00020106,00000000,00CDE2A3,00000000,000000E4), ref: 00CDE0B2
                                                                                                                                                                • RegSetValueExA.ADVAPI32(00CDE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,00CE22F8), ref: 00CDE127
                                                                                                                                                                • RegDeleteValueA.ADVAPI32(00CDE2A3,?,?,?,?,?,000000C8,00CE22F8), ref: 00CDE158
                                                                                                                                                                • RegCloseKey.ADVAPI32(00CDE2A3,?,?,?,?,000000C8,00CE22F8,?,?,?,?,?,?,?,?,00CDE2A3), ref: 00CDE161
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2667537340-0
                                                                                                                                                                • Opcode ID: beed7724f3f4861379d18e50420936f771ff417f9bda2c7f8f991f98c9340aa0
                                                                                                                                                                • Instruction ID: ea5fb22f8702866a4d979ceae5c5dc46d5d55e69053d55010177ec7ab3a97c79
                                                                                                                                                                • Opcode Fuzzy Hash: beed7724f3f4861379d18e50420936f771ff417f9bda2c7f8f991f98c9340aa0
                                                                                                                                                                • Instruction Fuzzy Hash: B5219371A00219BBDF20AFA5DC89EDF7F79EF04750F104062FA14EA151E671CA54DB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00CDA3C7,00000000,00000000,000007D0,00000001), ref: 00CD3FB8
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00CD3FC2
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00CD3FD3
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD3FE6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                • Opcode ID: cb6935212f6cb65979c9c713857affa5b2b412365e167a0768f31bead617b40b
                                                                                                                                                                • Instruction ID: ef321abf6f9e0f2962b7d6c67bb83b1fe26a5096d2935bdf516962fc5b6a5908
                                                                                                                                                                • Opcode Fuzzy Hash: cb6935212f6cb65979c9c713857affa5b2b412365e167a0768f31bead617b40b
                                                                                                                                                                • Instruction Fuzzy Hash: E001D07291024AABDF11DF94DD85BEE7BBCEB04356F1040A2FA02E6150D7709B588BA2
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00CDA3C7,00000000,00000000,000007D0,00000001), ref: 00CD3F44
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00CD3F4E
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00CD3F5F
                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD3F72
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                • Opcode ID: a66969d9319558d20273080c3959a363d76f9dcafd82d64e2b918539d5d45027
                                                                                                                                                                • Instruction ID: 995f6545ce91f75aeeb22bf652b70c990f9019981c8844e5be8e7db3d02321d9
                                                                                                                                                                • Opcode Fuzzy Hash: a66969d9319558d20273080c3959a363d76f9dcafd82d64e2b918539d5d45027
                                                                                                                                                                • Instruction Fuzzy Hash: B401D0B2911149ABDB01DF90ED88BEE7BBCEB04356F604066FA01E6150D7709B548BA2
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDA4D1
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CDA4E4
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00CDC2E9,00CDC4E0,00000000,localcfg,?,00CDC4E0,00CE3588,00CD8810), ref: 00CDA4F1
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00CDA4FA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 6c15ba3abe88473cbf3f5499a9ec8b95711be41a015976d31af7b0bba5907464
                                                                                                                                                                • Instruction ID: 1e3203a8173346072eabce3b9e97e290d2d32d353f2ffdbdf773c06c61a553cc
                                                                                                                                                                • Opcode Fuzzy Hash: 6c15ba3abe88473cbf3f5499a9ec8b95711be41a015976d31af7b0bba5907464
                                                                                                                                                                • Instruction Fuzzy Hash: A2E0863320121557C60057A6ACC4F6E7798EB89761F254062FB05D7240D696AA8145F7
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD4E9E
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD4EAD
                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00CD4EBA
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00CD4EC3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: 6133b94f268e4c02c58b579c47b6a43fd98d5fa138ad3a4f73452e5994b346d8
                                                                                                                                                                • Instruction ID: 00e8fb76c2e7220cdf3984091ad80fc2d56f0920ce5ab3c2bdb31d35487221f4
                                                                                                                                                                • Opcode Fuzzy Hash: 6133b94f268e4c02c58b579c47b6a43fd98d5fa138ad3a4f73452e5994b346d8
                                                                                                                                                                • Instruction Fuzzy Hash: 28E08C322012546BD61027BAACC4F6AA799AB96371F210533EB09D6280C6A6998245F1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD4BDD
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD4BEC
                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,0321B0E4,00CD50F2), ref: 00CD4BF9
                                                                                                                                                                • InterlockedExchange.KERNEL32(0321B0D8,00000001), ref: 00CD4C02
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: dd8133f7e666e272a69a2f0a2448cc13ee99b9d67ac0d2183bf36598ab899359
                                                                                                                                                                • Instruction ID: edffe6044721933bd9e9185fa3d9d47b79784ffc0d11dcd074216421e62b948b
                                                                                                                                                                • Opcode Fuzzy Hash: dd8133f7e666e272a69a2f0a2448cc13ee99b9d67ac0d2183bf36598ab899359
                                                                                                                                                                • Instruction Fuzzy Hash: 5BE0863224161467C61017A65CC0F6A7798DB95362F160073F708D6250C5A6D58145F1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD3103
                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00CD310F
                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00CD311C
                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00CD3128
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                • Opcode ID: ee9cc7ba1dab39a533db14b34f051da7a2a9ed0d7c94f4e7e6893a4a327c2a02
                                                                                                                                                                • Instruction ID: 9ac33c844ffdbae81835ed5e686366b144ce00beb3562008d2339196835b424c
                                                                                                                                                                • Opcode Fuzzy Hash: ee9cc7ba1dab39a533db14b34f051da7a2a9ed0d7c94f4e7e6893a4a327c2a02
                                                                                                                                                                • Instruction Fuzzy Hash: 75E027353002565FDB0017759DC5B4E6B69DFC4761F110033F301D6160C5D04D4149B3
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 536389180-1857712256
                                                                                                                                                                • Opcode ID: 76a5ff752dd5da7cb28337becc31f40454ae818be7c44208e20db185139dfee1
                                                                                                                                                                • Instruction ID: d0700a11a3eff3880b527d9b6f291dee8278afda46f1b742110185228e612c32
                                                                                                                                                                • Opcode Fuzzy Hash: 76a5ff752dd5da7cb28337becc31f40454ae818be7c44208e20db185139dfee1
                                                                                                                                                                • Instruction Fuzzy Hash: 2F21C332610556AFCB109BA4CCC5B6EB7BAEB20710B29009BE511DB2E1CF24EA45C750
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 00CDC057
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                • Opcode ID: 507c9ed80a7f8fc86777c998b6e5994dba3c865798090a749493c1cab6be31f2
                                                                                                                                                                • Instruction ID: ff3e9f7810cc96c597aa1dc362edfd09066a3a4e27e541a241e2bbb9b715e3f9
                                                                                                                                                                • Opcode Fuzzy Hash: 507c9ed80a7f8fc86777c998b6e5994dba3c865798090a749493c1cab6be31f2
                                                                                                                                                                • Instruction Fuzzy Hash: 10119772100140FFDB429BA9CD44E567FA6FF88318B34919CF6188E166D633D863EB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CD30FA: GetTickCount.KERNEL32 ref: 00CD3103
                                                                                                                                                                  • Part of subcall function 00CD30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00CD3128
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00CD3929
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00CD3939
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                • Opcode ID: d549029d7e0c7d00538b13a4821566df5bf4561caa203965f8c6949475ff9da7
                                                                                                                                                                • Instruction ID: cdf06a855ea15ea58e76f1de4ed00ee6390a2d130cfb0a5a27e4bf4d0f77933f
                                                                                                                                                                • Opcode Fuzzy Hash: d549029d7e0c7d00538b13a4821566df5bf4561caa203965f8c6949475ff9da7
                                                                                                                                                                • Instruction Fuzzy Hash: A8110471900294EBE720DF1AD485B5CF3F4FB04725F20855AEA559B391C7B0AA81DFA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,00CDBD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 00CDABB9
                                                                                                                                                                • InterlockedIncrement.KERNEL32(00CE3640), ref: 00CDABE1
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                • Opcode ID: 362925fed4da8a4a8d05d6db3f0d4df9d9374d37996bdb635e4ca62bf66863cf
                                                                                                                                                                • Instruction ID: a9ed4b00f63879ef64f128a50a8aa6c007a2add56ad906b3d3d95fb9c6777c96
                                                                                                                                                                • Opcode Fuzzy Hash: 362925fed4da8a4a8d05d6db3f0d4df9d9374d37996bdb635e4ca62bf66863cf
                                                                                                                                                                • Instruction Fuzzy Hash: 75018C315082C4AFDB118F19D885F967BAABF55314F144496F6908B352C3B4EA85CBA2
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 00CD26C3
                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 00CD26E4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                • Opcode ID: b0bf18425e9937d5a5f10188644277c3e004d173744a0aefa59d4f9ede0f613b
                                                                                                                                                                • Instruction ID: a1063f15c88ba237471c1a8bcab598d6c94b2917f032b488712d3ab2512e7a27
                                                                                                                                                                • Opcode Fuzzy Hash: b0bf18425e9937d5a5f10188644277c3e004d173744a0aefa59d4f9ede0f613b
                                                                                                                                                                • Instruction Fuzzy Hash: BFF012321583096BEB046FA4EC49B9A379CDB05750F248426FB18DE190DBB1D9419798
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00CDEB54,_alldiv,00CDF0B7,80000001,00000000,00989680,00000000,?,?,?,00CDE342,00000000,75A8EA50,80000001,00000000), ref: 00CDEAF2
                                                                                                                                                                • GetProcAddress.KERNEL32(76E90000,00000000), ref: 00CDEB07
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                • Opcode ID: 033121fcfdfa52b54231c97a62d8d96ce6cdf0ec762ddaab676320af6f5d344f
                                                                                                                                                                • Instruction ID: 5fdb913b95b6ec6336fd776f80f7f8a8190ded6e232a4cda664b69b15ac0222f
                                                                                                                                                                • Opcode Fuzzy Hash: 033121fcfdfa52b54231c97a62d8d96ce6cdf0ec762ddaab676320af6f5d344f
                                                                                                                                                                • Instruction Fuzzy Hash: 21D0C9346103C2BB8F229F759E8FB0D76ACBB54702B50401AB516CE220E774E984DA08
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00CD2D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00CD2F01,?,00CD20FF,00CE2000), ref: 00CD2D3A
                                                                                                                                                                  • Part of subcall function 00CD2D21: LoadLibraryA.KERNEL32(?), ref: 00CD2D4A
                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CD2F73
                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00CD2F7A
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_cd0000_svchost.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                • Opcode ID: 8adf3707b670226d3b5c8319e21853463f34f283c8e394c13b6966c2a7276deb
                                                                                                                                                                • Instruction ID: 831eb4b3cb7915eb46c99deba321ceedbe46e5c1066d3ef661ee02da15fd1325
                                                                                                                                                                • Opcode Fuzzy Hash: 8adf3707b670226d3b5c8319e21853463f34f283c8e394c13b6966c2a7276deb
                                                                                                                                                                • Instruction Fuzzy Hash: BC518E7190025ADFDF019F64D8889FAB775FF15304F10456AEEA6DB320E7329A19CB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%