Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AvDJi40xp_9fyz7RPmKdbxb4.exe

Overview

General Information

Sample name:AvDJi40xp_9fyz7RPmKdbxb4.exe
Analysis ID:1468501
MD5:b40b6b9bd2f7d17a65c72469ee2e2cfa
SHA1:859ffdfda568b34e1c3ded9f846dea6e8774f5b5
SHA256:f37f32eb1c859541773f55297fb1e05bbfc2874851fc7bbd4e185d3a6a1b6583
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • AvDJi40xp_9fyz7RPmKdbxb4.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe" MD5: B40B6B9BD2F7D17A65C72469EE2E2CFA)
    • cmd.exe (PID: 5080 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeuwztgf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4340 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lfkidgdf.exe" C:\Windows\SysWOW64\qeuwztgf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2496 cmdline: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3156 cmdline: "C:\Windows\System32\sc.exe" description qeuwztgf "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6220 cmdline: "C:\Windows\System32\sc.exe" start qeuwztgf MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5808 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lfkidgdf.exe (PID: 2696 cmdline: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe" MD5: 1D7112211B0E3F7C2ED96B0897990451)
    • svchost.exe (PID: 4048 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      11.2.lfkidgdf.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        11.2.lfkidgdf.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        11.2.lfkidgdf.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          System Summary

          barindex
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe", ParentImage: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe, ParentProcessId: 2696, ParentProcessName: lfkidgdf.exe, ProcessCommandLine: svchost.exe, ProcessId: 4048, ProcessName: svchost.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe", ParentImage: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe, ParentProcessId: 7136, ParentProcessName: AvDJi40xp_9fyz7RPmKdbxb4.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2496, ProcessName: sc.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 4048, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe", ParentImage: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe, ParentProcessId: 2696, ParentProcessName: lfkidgdf.exe, ProcessCommandLine: svchost.exe, ProcessId: 4048, ProcessName: svchost.exe
          Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 4048, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qeuwztgf
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe", ParentImage: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe, ParentProcessId: 7136, ParentProcessName: AvDJi40xp_9fyz7RPmKdbxb4.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2496, ProcessName: sc.exe
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Source: jotunheim.nameVirustotal: Detection: 13%Perma Link
          Source: vanaheim.cnVirustotal: Detection: 17%Perma Link
          Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
          Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeVirustotal: Detection: 44%Perma Link
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
          Source: C:\Users\user\AppData\Local\Temp\lfkidgdf.exeJoe Sandbox ML: detected
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeUnpacked PE file: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeUnpacked PE file: 11.2.lfkidgdf.exe.400000.0.unpack
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Change of critical system settings

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\qeuwztgfJump to behavior

          Networking

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.75 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
          Source: Joe Sandbox ViewIP Address: 67.195.228.94 67.195.228.94
          Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
          Source: Joe Sandbox ViewIP Address: 98.136.96.75 98.136.96.75
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
          Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
          Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
          Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 52.101.11.0:25
          Source: global trafficTCP traffic: 192.168.2.4:58402 -> 98.136.96.75:25
          Source: global trafficTCP traffic: 192.168.2.4:58408 -> 142.251.173.26:25
          Source: global trafficTCP traffic: 192.168.2.4:58410 -> 217.69.139.150:25
          Source: global trafficTCP traffic: 192.168.2.4:58414 -> 104.47.53.36:25
          Source: global trafficTCP traffic: 192.168.2.4:58416 -> 67.195.228.94:25
          Source: global trafficTCP traffic: 192.168.2.4:58419 -> 94.100.180.31:25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
          Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
          Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
          Source: global trafficDNS traffic detected: DNS query: yahoo.com
          Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
          Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: global trafficDNS traffic detected: DNS query: smtp.google.com
          Source: global trafficDNS traffic detected: DNS query: mail.ru
          Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
          Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: jotunheim.name
          Source: unknownNetwork traffic detected: HTTP traffic on port 58412 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 58411 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58418
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58409
          Source: unknownNetwork traffic detected: HTTP traffic on port 58409 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58415
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58412
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58411
          Source: unknownNetwork traffic detected: HTTP traffic on port 58418 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 58415 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AvDJi40xp_9fyz7RPmKdbxb4.exe PID: 7136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: lfkidgdf.exe PID: 2696, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4048, type: MEMORYSTR

          System Summary

          barindex
          Source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.3.lfkidgdf.exe.3120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.3.lfkidgdf.exe.3120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.lfkidgdf.exe.2a70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.2a70e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000002.2160657446.0000000002AAD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,LocalAlloc,0_2_00401280
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeuwztgf\Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0040C9130_2_0040C913
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_0040C91311_2_0040C913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02B0C91314_2_02B0C913
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: String function: 029827AB appears 35 times
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exe, 00000000.00000002.4192106290.0000000002815000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesAtlassing0 vs AvDJi40xp_9fyz7RPmKdbxb4.exe
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exe, 00000000.00000002.4192222669.00000000028A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesAtlassing0 vs AvDJi40xp_9fyz7RPmKdbxb4.exe
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeBinary or memory string: OriginalFilenamesAtlassing0 vs AvDJi40xp_9fyz7RPmKdbxb4.exe
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.3.lfkidgdf.exe.3120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.3.lfkidgdf.exe.3120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.lfkidgdf.exe.2a70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.2a70e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000002.2160657446.0000000002AAD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@17/9
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_02866ECC CreateToolhelp32Snapshot,Module32First,0_2_02866ECC
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02B09A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_02B09A6B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile created: C:\Users\user\AppData\Local\Temp\lfkidgdf.exeJump to behavior
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeVirustotal: Detection: 44%
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile read: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14845
          Source: unknownProcess created: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe "C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe"
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeuwztgf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lfkidgdf.exe" C:\Windows\SysWOW64\qeuwztgf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qeuwztgf "wifi internet conection"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeuwztgf
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe"
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeuwztgf\Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lfkidgdf.exe" C:\Windows\SysWOW64\qeuwztgf\Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qeuwztgf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeuwztgfJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeUnpacked PE file: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeUnpacked PE file: 11.2.lfkidgdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeUnpacked PE file: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeUnpacked PE file: 11.2.lfkidgdf.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0286A1B4 push 0000002Bh; iretd 0_2_0286A1BA
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_02AB4B2C push 0000002Bh; iretd 11_2_02AB4B32
          Source: AvDJi40xp_9fyz7RPmKdbxb4.exeStatic PE information: section name: .text entropy: 7.709118323604979

          Persistence and Installation Behavior

          barindex
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeFile created: C:\Users\user\AppData\Local\Temp\lfkidgdf.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qeuwztgfJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,14_2_02B0199C
          Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 707Jump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15271
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15191
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-6989
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_14-6130
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15139
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15902
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-6420
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_14-7409
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14717
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-14861
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeAPI coverage: 6.1 %
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6312Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6560Thread sleep count: 707 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6560Thread sleep time: -707000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6560Thread sleep count: 173 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6560Thread sleep time: -173000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
          Source: svchost.exe, 0000000E.00000002.4191147601.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeAPI call chain: ExitProcess graph end nodegraph_0-15151
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_14-6422

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_14-7655
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_11-16195
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_028667A9 push dword ptr fs:[00000030h]0_2_028667A9
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_02980D90 mov eax, dword ptr fs:[00000030h]0_2_02980D90
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0298092B mov eax, dword ptr fs:[00000030h]0_2_0298092B
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_02A70D90 mov eax, dword ptr fs:[00000030h]11_2_02A70D90
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_02A7092B mov eax, dword ptr fs:[00000030h]11_2_02A7092B
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_02AB1121 push dword ptr fs:[00000030h]11_2_02AB1121
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02B09A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_02B09A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.75 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2B00000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B00000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B00000Jump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2846008Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeuwztgf\Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lfkidgdf.exe" C:\Windows\SysWOW64\qeuwztgf\Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qeuwztgf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeuwztgfJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,VirtualProtect,0_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AvDJi40xp_9fyz7RPmKdbxb4.exe PID: 7136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: lfkidgdf.exe PID: 2696, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4048, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.2980e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.AvDJi40xp_9fyz7RPmKdbxb4.exe.4460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.3290000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.3.lfkidgdf.exe.3120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AvDJi40xp_9fyz7RPmKdbxb4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.2b00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.lfkidgdf.exe.2a70e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AvDJi40xp_9fyz7RPmKdbxb4.exe PID: 7136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: lfkidgdf.exe PID: 2696, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4048, type: MEMORYSTR
          Source: C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
          Source: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02B088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,14_2_02B088B0
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          41
          Native API
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          3
          Disable or Modify Tools
          OS Credential Dumping2
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter
          1
          Valid Accounts
          1
          Valid Accounts
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory1
          Account Discovery
          Remote Desktop ProtocolData from Removable Media12
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          Service Execution
          14
          Windows Service
          1
          Access Token Manipulation
          3
          Obfuscated Files or Information
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
          Windows Service
          22
          Software Packing
          NTDS15
          System Information Discovery
          Distributed Component Object ModelInput Capture112
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
          Process Injection
          1
          DLL Side-Loading
          LSA Secrets111
          Security Software Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Masquerading
          Cached Domain Credentials11
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Valid Accounts
          DCSync1
          Process Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
          Virtualization/Sandbox Evasion
          Proc Filesystem1
          Application Window Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation
          /etc/passwd and /etc/shadow1
          System Owner/User Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
          Process Injection
          Network Sniffing1
          System Network Configuration Discovery
          Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468501 Sample: AvDJi40xp_9fyz7RPmKdbxb4.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 10 other IPs or domains 2->47 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 8 lfkidgdf.exe 2->8         started        11 AvDJi40xp_9fyz7RPmKdbxb4.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Found API chain indicative of debugger detection 8->67 73 3 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\lfkidgdf.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta6.am0.yahoodns.net 98.136.96.75, 25 YAHOO-NE1US United States 14->49 51 mta7.am0.yahoodns.net 67.195.228.94, 25 YAHOO-GQ1US United States 14->51 53 7 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 14->79 39 C:\Windows\SysWOW64\...\lfkidgdf.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          AvDJi40xp_9fyz7RPmKdbxb4.exe45%VirustotalBrowse
          AvDJi40xp_9fyz7RPmKdbxb4.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\lfkidgdf.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLink
          mta6.am0.yahoodns.net1%VirustotalBrowse
          mxs.mail.ru0%VirustotalBrowse
          mta7.am0.yahoodns.net1%VirustotalBrowse
          jotunheim.name14%VirustotalBrowse
          microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
          15.164.165.52.in-addr.arpa1%VirustotalBrowse
          vanaheim.cn17%VirustotalBrowse
          mail.ru0%VirustotalBrowse
          smtp.google.com0%VirustotalBrowse
          yahoo.com0%VirustotalBrowse
          google.com0%VirustotalBrowse
          50.23.12.20.in-addr.arpa1%VirustotalBrowse
          SourceDetectionScannerLabelLink
          vanaheim.cn:443100%Avira URL Cloudphishing
          jotunheim.name:4430%Avira URL Cloudsafe
          jotunheim.name:44313%VirustotalBrowse
          vanaheim.cn:4438%VirustotalBrowse
          NameIPActiveMaliciousAntivirus DetectionReputation
          mta6.am0.yahoodns.net
          98.136.96.75
          truetrueunknown
          mxs.mail.ru
          217.69.139.150
          truetrueunknown
          mta7.am0.yahoodns.net
          67.195.228.94
          truetrueunknown
          jotunheim.name
          80.66.75.11
          truetrueunknown
          microsoft-com.mail.protection.outlook.com
          52.101.11.0
          truetrueunknown
          vanaheim.cn
          195.133.13.231
          truetrueunknown
          smtp.google.com
          142.251.173.26
          truefalseunknown
          15.164.165.52.in-addr.arpa
          unknown
          unknowntrueunknown
          google.com
          unknown
          unknowntrueunknown
          yahoo.com
          unknown
          unknowntrueunknown
          mail.ru
          unknown
          unknowntrueunknown
          50.23.12.20.in-addr.arpa
          unknown
          unknowntrueunknown
          NameMaliciousAntivirus DetectionReputation
          vanaheim.cn:443true
          • 8%, Virustotal, Browse
          • Avira URL Cloud: phishing
          unknown
          jotunheim.name:443true
          • 13%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          52.101.11.0
          microsoft-com.mail.protection.outlook.comUnited States
          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
          67.195.228.94
          mta7.am0.yahoodns.netUnited States
          36647YAHOO-GQ1UStrue
          142.251.173.26
          smtp.google.comUnited States
          15169GOOGLEUSfalse
          217.69.139.150
          mxs.mail.ruRussian Federation
          47764MAILRU-ASMailRuRUtrue
          195.133.13.231
          vanaheim.cnRussian Federation
          197695AS-REGRUtrue
          98.136.96.75
          mta6.am0.yahoodns.netUnited States
          36646YAHOO-NE1UStrue
          80.66.75.11
          jotunheim.nameRussian Federation
          20803RISS-ASRUtrue
          94.100.180.31
          unknownRussian Federation
          47764MAILRU-ASMailRuRUtrue
          104.47.53.36
          unknownUnited States
          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1468501
          Start date and time:2024-07-06 09:06:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 6s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:AvDJi40xp_9fyz7RPmKdbxb4.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@22/3@17/9
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 66
          • Number of non-executed functions: 249
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240s for sample files taking high CPU consumption
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.76.201.171, 20.70.246.20, 20.231.239.246, 20.236.44.162
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          TimeTypeDescription
          03:08:09API Interceptor857x Sleep call for process: svchost.exe modified
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          52.101.11.0DWoKcG581L.exeGet hashmaliciousTofseeBrowse
            kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                  file.exeGet hashmaliciousTofseeBrowse
                    sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                      U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                        bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                          t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                            SecuriteInfo.com.Win32.TrojanX-gen.11678.1633.exeGet hashmaliciousTofseeBrowse
                              67.195.228.94dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                  file.exeGet hashmaliciousPhorpiexBrowse
                                    WtRLqa6ZXn.exeGet hashmaliciousUnknownBrowse
                                      newtpp.exeGet hashmaliciousPhorpiexBrowse
                                        gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                          file.exeGet hashmaliciousTofseeBrowse
                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                message.elm.exeGet hashmaliciousUnknownBrowse
                                                  217.69.139.150I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                    lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                      dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                        rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                            G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                              x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                                x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                  EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                                                    OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                                                      98.136.96.75gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                        file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                          l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                            file.log.exeGet hashmaliciousUnknownBrowse
                                                                              message.txt.exeGet hashmaliciousUnknownBrowse
                                                                                ac492e6a204784df07ef3841b3ae1f8a68b349db90a34.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                                                  readme.txt.exeGet hashmaliciousUnknownBrowse
                                                                                    Update-KB9504-x86.exeGet hashmaliciousUnknownBrowse
                                                                                      d5lcwbdDfu.exeGet hashmaliciousTofsee XmrigBrowse
                                                                                        sbFQSOHQS9.exeGet hashmaliciousTofsee XmrigBrowse
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mta6.am0.yahoodns.netI5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.72
                                                                                          RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.109
                                                                                          webcam.txt.com.exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.204.73
                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.106
                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.91
                                                                                          mta7.am0.yahoodns.netdIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.73
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.111
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 98.136.96.77
                                                                                          RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.204.79
                                                                                          3pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.77
                                                                                          newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 98.136.96.91
                                                                                          7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.204.79
                                                                                          jotunheim.namekPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          SecuriteInfo.com.Win32.BotX-gen.15544.10747.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          SecuriteInfo.com.Win32.BotX-gen.28812.11191.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          SecuriteInfo.com.Trojan.Siggen23.53341.25424.13682.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          kNFzCbNNpD.exeGet hashmaliciousTofseeBrowse
                                                                                          • 80.66.75.77
                                                                                          mxs.mail.ruyq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                          • 94.100.180.31
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                          • 94.100.180.31
                                                                                          G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                          • 217.69.139.150
                                                                                          x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                                          • 217.69.139.150
                                                                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 94.100.180.31
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          MAILRU-ASMailRuRUhttp://ct31152.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.226
                                                                                          http://cb00287.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          http://cv59800.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          https://cs13786.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          http://cf20871.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 5.61.23.11
                                                                                          x64.nn.elfGet hashmaliciousMiraiBrowse
                                                                                          • 128.140.169.91
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          YAHOO-NE1USs4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.139.105.91
                                                                                          NgAzrOQSgK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.139.7.69
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                                          • 74.6.231.20
                                                                                          vylI38MZOn.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.87.64
                                                                                          https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 98.137.155.8
                                                                                          P5uKPY120j.elfGet hashmaliciousMiraiBrowse
                                                                                          • 216.252.107.75
                                                                                          806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                                                                          • 98.137.155.8
                                                                                          https://xsetlp3sattty7yhmls.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 74.6.231.20
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUS(No subject) (29).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 104.47.65.28
                                                                                          arm5-20240706-0012.elfGet hashmaliciousMiraiBrowse
                                                                                          • 20.18.255.130
                                                                                          https://pub-fb608504b57048a1b1ca54c74dbf132d.r2.dev/ront.html?ccsendGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 20.76.252.24
                                                                                          https://netorgft11417463-my.sharepoint.com/:o:/g/personal/miraxy_mlmfoodsusa_com/Ep2tW9OiVYhPtqAXFyRLSFoBWqPOojE29ja-FQWlUqv0SA?e=5%3algW4EA&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          https://bainbridgemfg-my.sharepoint.com/:o:/p/david/ErvlllHCJGpPobC1afGT7j4Badn5zob3qi0w_pRTIz-v-g?e=5%3a0L4XAf&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          https://starsof.com/404.php?7-797967704b536932307465765443334f7a4d6d73306b744f533948337a676e494439454841413d3d-amdyb3dAdG9sbGVzb25hei5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.74.129.92
                                                                                          https://deacerousa2-my.sharepoint.com/:o:/g/personal/eservice_huynhlaw_com/Ekv2F9Kc_pJJuB-bxZ7Z5QcBrNuZWh85OaRkXp9nQSqCiQ?e=5%3aD7eLEH&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.107.242.226
                                                                                          https://deacerousa2-my.sharepoint.com/:o:/g/personal/eservice_huynhlaw_com/Ekv2F9Kc_pJJuB-bxZ7Z5QcBrNuZWh85OaRkXp9nQSqCiQ?e=5%3aD7eLEH&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          Christy Towler shared _OmniSource Marketing Group_ with you.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          Christy Towler shared _OmniSource Marketing Group_ with you.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          AS-REGRUScan405.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          ScanPDF_102.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          new order.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          Attendance list.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          XNP1BNVNqi.elfGet hashmaliciousMiraiBrowse
                                                                                          • 80.78.252.5
                                                                                          DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          YAHOO-GQ1USI5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                          • 98.137.11.164
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.136.201.234
                                                                                          n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.238.181
                                                                                          zGP5DlrwgZ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                          • 98.137.103.190
                                                                                          9g5gIOlb47.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.139.117.88
                                                                                          https://www.googleadservices.com/pagead/aclk?sa=L&ai=CEPSIY7k7Zpu1AY3rkPIP8q21mAvP_pi8d4PY85XiEsq6jPG-ARABIPT5xiVgyeaGi7ykoBqgAcCz_YIDyAEC4AIAqAMByAMIqgSdAk_QZfhjp8EKKRw8Ud-sac3T3jbhfjxjJ1sRhgU3SOjAuI5huqeTvemsIazylmO5A9WU45_edGutcUqL46MvuNtxU89a64S7xhljcSlyUs-dysnWLJ2j0jUpH_gKnco9owTuaX1dg-lH7IYSpQI3MKj-Dr00v1SC_8ZhuzoINVR1E2pcblzJpyD5_udwujRkOY3Fao0Lt8Mai9Sq-EbJfdXMijbwOeNV94FwcwlSMZ7he13IkHy_a1HexFAPvo5qqjQXKG7VuYCajYpF3q5URq0loIuDY5WXWNc5RPV77yzvPDM2ytOukuK76vBmfoFdcFIyWUc5xZIVsm9dr8SzjJNE1z63RwDOkXHpq4VxrPcl1gRfUlqaUGyYeMbOoMAEp9WvltcE4AQBiAWQgcDhTpAGAaAGAoAHqMyCfYgHAZAHAqgH2baxAqgH1ckbqAemvhuoB47OG6gHk9gbqAfulrECqAf-nrECqAevvrECqAeaBqgH89EbqAeW2BuoB6qbsQKoB4OtsQKoB-C9sQKoB_-esQKoB9-fsQKoB_jCsQKoB_vCsQLYBwHSCCcIABACGB0yAQA6Dp_QgICAgASAwICAgKAoSL39wTpYjsuajM3-hQOxCUbAF_v0mAHVgAoDmAsByAsBqg0CVVPIDQHiDRMIlf2ajM3-hQMVjTVECB3yVg2z2BMM0BUB-BYBgBcBshgJEgLeaBgCIgEA6BgB&ae=1&gclid=Cj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcB&num=1&cid=CAQSQwB7FLtqgUEuOym-5Tn68arUiPJ1jdwPgw46Y6zUHfAkI3hTIEhGQzVeYafsm9LBj6pxutwTRiLFJPhCq9OvYdD7CqQYAQ&sig=AOD64_2G4fRbd2sH1E5jnf1iXQS4SW_Q2g&client=ca-pub-6396844742497208&rf=5&nx=CLICK_X&ny=CLICK_Y&uap=UACH(platform)&uapv=UACH(platformVersion)&uaa=UACH(architecture)&uam=UACH(model)&uafv=UACH(uaFullVersion)&uab=UACH(bitness)&uaw=UACH(wow64)&uafvl=UACH(fullVersionList)&nb=2&adurl=https://browsingwithwave.com/%3Fsrc%3Dd-aff16-cp21142438032%26ob%3Dobgcobedobem%26dvc%3Dc%26k%3D%26crt%3D695418066867%26adp%3D%26plc%3D%26tgt%3D%26sl%3D%26cpd%3D21142438032%26iid%3Dwav%26gclid%3DCj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcBGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.144.138
                                                                                          https://t.co/yKnQGIBNmnGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 74.6.160.138
                                                                                          SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          No context
                                                                                          No context
                                                                                          Process:C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12696064
                                                                                          Entropy (8bit):5.50848535248732
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:xqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqS:
                                                                                          MD5:1D7112211B0E3F7C2ED96B0897990451
                                                                                          SHA1:FFE8C1DC7ADE2954699C86909142CF6BE5350313
                                                                                          SHA-256:EDA4991615678D5147D4E63FE8519274C2563B68E38D4663EAFB47F27CF4BCCD
                                                                                          SHA-512:FFDA3D463B1F7D8F89AFB089B198A7847F07AE95F535DADA604647E7278B0C01FDA18E213CDC046A2A4823AAFB90DE03DA65846F0C81DCE43F2093CAF6A5A235
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............yB.yB.yB...B.yB...B.yB...B..yB...B.yB.xB..yB...B.yB...B.yB...B.yBRich.yB................PE..L...577d.....................P@.....h%............@...........................B......;......................................<9.......PA..............................9...............................4..@............................................text...p........................... ..`.rdata..d2.......4..................@..@.data.....>..P.......6..............@....rsrc........PA....................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12696064
                                                                                          Entropy (8bit):5.50848535248732
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:xqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqS:
                                                                                          MD5:1D7112211B0E3F7C2ED96B0897990451
                                                                                          SHA1:FFE8C1DC7ADE2954699C86909142CF6BE5350313
                                                                                          SHA-256:EDA4991615678D5147D4E63FE8519274C2563B68E38D4663EAFB47F27CF4BCCD
                                                                                          SHA-512:FFDA3D463B1F7D8F89AFB089B198A7847F07AE95F535DADA604647E7278B0C01FDA18E213CDC046A2A4823AAFB90DE03DA65846F0C81DCE43F2093CAF6A5A235
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............yB.yB.yB...B.yB...B.yB...B..yB...B.yB.xB..yB...B.yB...B.yB...B.yBRich.yB................PE..L...577d.....................P@.....h%............@...........................B......;......................................<9.......PA..............................9...............................4..@............................................text...p........................... ..`.rdata..d2.......4..................@..@.data.....>..P.......6..............@....rsrc........PA....................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):6.314370004206929
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:AvDJi40xp_9fyz7RPmKdbxb4.exe
                                                                                          File size:235'008 bytes
                                                                                          MD5:b40b6b9bd2f7d17a65c72469ee2e2cfa
                                                                                          SHA1:859ffdfda568b34e1c3ded9f846dea6e8774f5b5
                                                                                          SHA256:f37f32eb1c859541773f55297fb1e05bbfc2874851fc7bbd4e185d3a6a1b6583
                                                                                          SHA512:7a4b7171000f8dad0eed766e212ee6c9ebf6431175291442524383232f5455f6bc3e8b224c31dc8bf48ad0cba4ef7637edd4dcc8f32e48f93fb9ea7036adeae1
                                                                                          SSDEEP:3072:DI/quXXuYu/IdYKV97eRuWYxYBouZdSzBS7sy4iIb:DYqKXzEIzSbYxYTAS7W
                                                                                          TLSH:5B34DF21B2E19431D47B453785F1FA60EA7ABC52B7F1912F23682A3F2EB07D18725316
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............yB..yB..yB...B..yB...B..yB...B..yB...B..yB..xB..yB...B..yB...B..yB...B..yBRich..yB................PE..L...577d...........
                                                                                          Icon Hash:63796de961636e0f
                                                                                          Entrypoint:0x402568
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x64373735 [Wed Apr 12 22:56:53 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:48bfd2c8ba2c8c1adc16449871b198d1
                                                                                          Instruction
                                                                                          call 00007F1FD523C0F7h
                                                                                          jmp 00007F1FD523935Eh
                                                                                          push edi
                                                                                          mov eax, esi
                                                                                          and eax, 0Fh
                                                                                          test eax, eax
                                                                                          jne 00007F1FD5239597h
                                                                                          mov edx, ecx
                                                                                          and ecx, 7Fh
                                                                                          shr edx, 07h
                                                                                          je 00007F1FD5239537h
                                                                                          jmp 00007F1FD52394D8h
                                                                                          lea ebx, dword ptr [ebx+00000000h]
                                                                                          movdqa xmm0, dqword ptr [esi]
                                                                                          movdqa xmm1, dqword ptr [esi+10h]
                                                                                          movdqa xmm2, dqword ptr [esi+20h]
                                                                                          movdqa xmm3, dqword ptr [esi+30h]
                                                                                          movdqa dqword ptr [edi], xmm0
                                                                                          movdqa dqword ptr [edi+10h], xmm1
                                                                                          movdqa dqword ptr [edi+20h], xmm2
                                                                                          movdqa dqword ptr [edi+30h], xmm3
                                                                                          movdqa xmm4, dqword ptr [esi+40h]
                                                                                          movdqa xmm5, dqword ptr [esi+50h]
                                                                                          movdqa xmm6, dqword ptr [esi+60h]
                                                                                          movdqa xmm7, dqword ptr [esi+70h]
                                                                                          movdqa dqword ptr [edi+40h], xmm4
                                                                                          movdqa dqword ptr [edi+50h], xmm5
                                                                                          movdqa dqword ptr [edi+60h], xmm6
                                                                                          movdqa dqword ptr [edi+70h], xmm7
                                                                                          lea esi, dword ptr [esi+00000080h]
                                                                                          lea edi, dword ptr [edi+00000080h]
                                                                                          dec edx
                                                                                          jne 00007F1FD5239475h
                                                                                          test ecx, ecx
                                                                                          je 00007F1FD523951Bh
                                                                                          mov edx, ecx
                                                                                          shr edx, 04h
                                                                                          test edx, edx
                                                                                          je 00007F1FD52394E9h
                                                                                          lea ebx, dword ptr [ebx+00000000h]
                                                                                          movdqa xmm0, dqword ptr [esi]
                                                                                          movdqa dqword ptr [edi], xmm0
                                                                                          lea esi, dword ptr [esi+10h]
                                                                                          lea edi, dword ptr [edi+10h]
                                                                                          dec edx
                                                                                          jne 00007F1FD52394C1h
                                                                                          and ecx, 0Fh
                                                                                          je 00007F1FD52394F6h
                                                                                          mov eax, ecx
                                                                                          shr ecx, 02h
                                                                                          je 00007F1FD52394DFh
                                                                                          mov edx, dword ptr [esi]
                                                                                          mov dword ptr [edi], edx
                                                                                          lea esi, dword ptr [esi+04h]
                                                                                          lea edi, dword ptr [edi+04h]
                                                                                          dec ecx
                                                                                          jne 00007F1FD52394C5h
                                                                                          mov ecx, eax
                                                                                          and ecx, 00000000h
                                                                                          Programming Language:
                                                                                          • [C++] VS2010 build 30319
                                                                                          • [ASM] VS2010 build 30319
                                                                                          • [ C ] VS2010 build 30319
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [RES] VS2010 build 30319
                                                                                          • [LNK] VS2010 build 30319
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2393c0xa0.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24150000xaa80.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x239dc0x1c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x234000x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x210000x188.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x1fd700x1fe00f5b5e491efb8ad14df382794e6776642False0.8540517769607843data7.709118323604979IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x210000x32640x3400dc624da186f5daab5640a9131c1c02cbFalse0.3528395432692308data4.875662859094191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x250000x23efea00xb400b235bffcaa98db9eee9dbe7e6d7e3579unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x24150000xaa800xac00c848a5b0454368cd4816965a8c11e511False0.5316815043604651data5.479127369442671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x24153a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.5299539170506913
                                                                                          RT_ICON0x2415a680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.4182572614107884
                                                                                          RT_ICON0x24180100x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.45390070921985815
                                                                                          RT_ICON0x24184a80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsJapaneseJapan0.3997867803837953
                                                                                          RT_ICON0x24193500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsJapaneseJapan0.5816787003610109
                                                                                          RT_ICON0x2419bf80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsJapaneseJapan0.646889400921659
                                                                                          RT_ICON0x241a2c00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsJapaneseJapan0.661849710982659
                                                                                          RT_ICON0x241a8280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600JapaneseJapan0.5451244813278008
                                                                                          RT_ICON0x241cdd00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224JapaneseJapan0.5970919324577861
                                                                                          RT_ICON0x241de780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400JapaneseJapan0.5713114754098361
                                                                                          RT_ICON0x241e8000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088JapaneseJapan0.650709219858156
                                                                                          RT_STRING0x241ef700x6c0dataJapaneseJapan0.42476851851851855
                                                                                          RT_STRING0x241f6300x23aMatlab v4 mat-file (little endian) , numeric, rows 0, columns 0JapaneseJapan0.48947368421052634
                                                                                          RT_STRING0x241f8700x20edataJapaneseJapan0.5057034220532319
                                                                                          RT_GROUP_ICON0x24184780x30dataJapaneseJapan0.9375
                                                                                          RT_GROUP_ICON0x241ec680x76dataJapaneseJapan0.6694915254237288
                                                                                          RT_VERSION0x241ece00x290MS Windows COFF PA-RISC object file0.5274390243902439
                                                                                          DLLImport
                                                                                          KERNEL32.dllGetConsoleAliasesLengthW, SetEndOfFile, FindResourceW, CreateDirectoryW, WriteConsoleInputA, VirtualFree, GetWindowsDirectoryA, LoadLibraryW, ReplaceFileW, GetModuleFileNameW, GlobalUnlock, SetLastError, GetProcAddress, LoadLibraryA, IsBadStringPtrW, GlobalGetAtomNameW, EnumResourceTypesW, GetOEMCP, CancelIo, OpenFileMappingW, GetWindowsDirectoryW, RtlUnwind, Sleep, GetStringTypeW, LCMapStringW, RemoveVectoredExceptionHandler, FindResourceA, CreateFileA, LocalAlloc, GetDateFormatW, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, HeapAlloc, MultiByteToWideChar, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, RaiseException, HeapCreate, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, EncodePointer, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetCurrentThreadId, SetUnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapSize
                                                                                          USER32.dllInsertMenuItemW, GetKeyboardLayoutNameW, GetCaretPos, SetMessageExtraInfo, CharUpperBuffW, DdeKeepStringHandle, GetClassInfoW
                                                                                          GDI32.dllGetCharWidthW
                                                                                          ADVAPI32.dllCopySid, BackupEventLogW
                                                                                          SHELL32.dllFindExecutableA
                                                                                          ole32.dllCoRevokeClassObject, CoMarshalHresult
                                                                                          WINHTTP.dllWinHttpWriteData
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          JapaneseJapan
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 6, 2024 09:07:26.823124886 CEST4973125192.168.2.452.101.11.0
                                                                                          Jul 6, 2024 09:07:27.908132076 CEST4973125192.168.2.452.101.11.0
                                                                                          Jul 6, 2024 09:07:29.908129930 CEST4973125192.168.2.452.101.11.0
                                                                                          Jul 6, 2024 09:07:30.033493042 CEST49734443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:07:30.033518076 CEST44349734195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:07:30.033588886 CEST49734443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:07:33.923743010 CEST4973125192.168.2.452.101.11.0
                                                                                          Jul 6, 2024 09:07:41.923763037 CEST4973125192.168.2.452.101.11.0
                                                                                          Jul 6, 2024 09:07:46.832237959 CEST5840225192.168.2.498.136.96.75
                                                                                          Jul 6, 2024 09:07:47.892532110 CEST5840225192.168.2.498.136.96.75
                                                                                          Jul 6, 2024 09:07:49.892699003 CEST5840225192.168.2.498.136.96.75
                                                                                          Jul 6, 2024 09:07:53.892534971 CEST5840225192.168.2.498.136.96.75
                                                                                          Jul 6, 2024 09:08:01.908209085 CEST5840225192.168.2.498.136.96.75
                                                                                          Jul 6, 2024 09:08:06.863055944 CEST5840825192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:08:07.876934052 CEST5840825192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:08:09.876946926 CEST5840825192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:08:10.035496950 CEST49734443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:10.035581112 CEST44349734195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:08:10.035702944 CEST49734443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:10.296592951 CEST58409443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:10.296613932 CEST44358409195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:08:10.296843052 CEST58409443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:13.876966000 CEST5840825192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:08:21.892576933 CEST5840825192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:08:26.894571066 CEST5841025192.168.2.4217.69.139.150
                                                                                          Jul 6, 2024 09:08:27.892606974 CEST5841025192.168.2.4217.69.139.150
                                                                                          Jul 6, 2024 09:08:29.892726898 CEST5841025192.168.2.4217.69.139.150
                                                                                          Jul 6, 2024 09:08:33.892961025 CEST5841025192.168.2.4217.69.139.150
                                                                                          Jul 6, 2024 09:08:41.892604113 CEST5841025192.168.2.4217.69.139.150
                                                                                          Jul 6, 2024 09:08:50.283477068 CEST58409443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:50.283565998 CEST44358409195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:08:50.283623934 CEST58409443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:50.395740032 CEST58411443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:08:50.395771980 CEST44358411195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:08:50.395838022 CEST58411443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:09:30.392812014 CEST58411443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:09:30.392901897 CEST44358411195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:09:30.392968893 CEST58411443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:09:30.527815104 CEST58412443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:09:30.527865887 CEST44358412195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:09:30.528054953 CEST58412443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:09:53.633944988 CEST5841425192.168.2.4104.47.53.36
                                                                                          Jul 6, 2024 09:09:54.642785072 CEST5841425192.168.2.4104.47.53.36
                                                                                          Jul 6, 2024 09:09:56.658519983 CEST5841425192.168.2.4104.47.53.36
                                                                                          Jul 6, 2024 09:10:00.658432007 CEST5841425192.168.2.4104.47.53.36
                                                                                          Jul 6, 2024 09:10:08.673999071 CEST5841425192.168.2.4104.47.53.36
                                                                                          Jul 6, 2024 09:10:10.533494949 CEST58412443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:10.533572912 CEST44358412195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:10:10.533646107 CEST58412443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:10.643465996 CEST58415443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:10.643501043 CEST44358415195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:10:10.643584967 CEST58415443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:13.660056114 CEST5841625192.168.2.467.195.228.94
                                                                                          Jul 6, 2024 09:10:14.674062014 CEST5841625192.168.2.467.195.228.94
                                                                                          Jul 6, 2024 09:10:16.689766884 CEST5841625192.168.2.467.195.228.94
                                                                                          Jul 6, 2024 09:10:20.689675093 CEST5841625192.168.2.467.195.228.94
                                                                                          Jul 6, 2024 09:10:28.705327034 CEST5841625192.168.2.467.195.228.94
                                                                                          Jul 6, 2024 09:10:33.682821989 CEST5841725192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:10:34.689682007 CEST5841725192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:10:36.689677000 CEST5841725192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:10:40.689682961 CEST5841725192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:10:48.689732075 CEST5841725192.168.2.4142.251.173.26
                                                                                          Jul 6, 2024 09:10:50.658696890 CEST58415443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:50.658785105 CEST44358415195.133.13.231192.168.2.4
                                                                                          Jul 6, 2024 09:10:50.658843040 CEST58415443192.168.2.4195.133.13.231
                                                                                          Jul 6, 2024 09:10:50.777395964 CEST58418443192.168.2.480.66.75.11
                                                                                          Jul 6, 2024 09:10:50.777440071 CEST4435841880.66.75.11192.168.2.4
                                                                                          Jul 6, 2024 09:10:50.777654886 CEST58418443192.168.2.480.66.75.11
                                                                                          Jul 6, 2024 09:10:53.826019049 CEST5841925192.168.2.494.100.180.31
                                                                                          Jul 6, 2024 09:10:54.830389023 CEST5841925192.168.2.494.100.180.31
                                                                                          Jul 6, 2024 09:10:56.845967054 CEST5841925192.168.2.494.100.180.31
                                                                                          Jul 6, 2024 09:11:00.861612082 CEST5841925192.168.2.494.100.180.31
                                                                                          Jul 6, 2024 09:11:08.861622095 CEST5841925192.168.2.494.100.180.31
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 6, 2024 09:07:26.814307928 CEST6347053192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:26.822060108 CEST53634701.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:07:29.847974062 CEST6531953192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:29.949486017 CEST53653191.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:07:46.605709076 CEST5360752162.159.36.2192.168.2.4
                                                                                          Jul 6, 2024 09:07:46.815073967 CEST6361253192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:46.821835995 CEST53636121.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:07:46.822587967 CEST6220053192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST53622001.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:07:47.097781897 CEST5898053192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:47.104604006 CEST53589801.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:07:58.092180014 CEST5524353192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:07:58.099659920 CEST53552431.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:08:06.846370935 CEST6511453192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:08:06.854034901 CEST53651141.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:08:06.854772091 CEST6509253192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST53650921.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:08:10.143599987 CEST5386853192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:08:10.295814037 CEST53538681.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:08:26.877829075 CEST5797653192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:08:26.885570049 CEST53579761.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:08:26.886821032 CEST5236453192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:08:26.894076109 CEST53523641.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:09:53.381567955 CEST5244553192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:09:53.630542994 CEST53524451.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:10:13.643323898 CEST5275653192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:10:13.650563002 CEST53527561.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:10:13.651390076 CEST5516253192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST53551621.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:10:33.674823046 CEST5613653192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:10:33.682007074 CEST53561361.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:10:50.769082069 CEST5408953192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:10:50.776566982 CEST53540891.1.1.1192.168.2.4
                                                                                          Jul 6, 2024 09:10:53.675098896 CEST6206953192.168.2.41.1.1.1
                                                                                          Jul 6, 2024 09:10:53.825036049 CEST53620691.1.1.1192.168.2.4
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jul 6, 2024 09:07:26.814307928 CEST192.168.2.41.1.1.10x645bStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:29.847974062 CEST192.168.2.41.1.1.10x93a0Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.815073967 CEST192.168.2.41.1.1.10xf78aStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.822587967 CEST192.168.2.41.1.1.10x6477Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:47.097781897 CEST192.168.2.41.1.1.10xb5a3Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:58.092180014 CEST192.168.2.41.1.1.10xa162Standard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.846370935 CEST192.168.2.41.1.1.10x2ab3Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.854772091 CEST192.168.2.41.1.1.10x541Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:10.143599987 CEST192.168.2.41.1.1.10xa3c7Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:26.877829075 CEST192.168.2.41.1.1.10x122eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:26.886821032 CEST192.168.2.41.1.1.10x9e6fStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:09:53.381567955 CEST192.168.2.41.1.1.10xd339Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.643323898 CEST192.168.2.41.1.1.10x3656Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.651390076 CEST192.168.2.41.1.1.10x12f8Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:33.674823046 CEST192.168.2.41.1.1.10x460aStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:50.769082069 CEST192.168.2.41.1.1.10x8d8bStandard query (0)jotunheim.nameA (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:53.675098896 CEST192.168.2.41.1.1.10xf2dcStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jul 6, 2024 09:07:26.822060108 CEST1.1.1.1192.168.2.40x645bNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:26.822060108 CEST1.1.1.1192.168.2.40x645bNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:26.822060108 CEST1.1.1.1192.168.2.40x645bNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:26.822060108 CEST1.1.1.1192.168.2.40x645bNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:29.949486017 CEST1.1.1.1192.168.2.40x93a0No error (0)vanaheim.cn195.133.13.231A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.821835995 CEST1.1.1.1192.168.2.40xf78aNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.821835995 CEST1.1.1.1192.168.2.40xf78aNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.821835995 CEST1.1.1.1192.168.2.40xf78aNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:46.831470966 CEST1.1.1.1192.168.2.40x6477No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:47.104604006 CEST1.1.1.1192.168.2.40xb5a3Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                          Jul 6, 2024 09:07:58.099659920 CEST1.1.1.1192.168.2.40xa162Name error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.854034901 CEST1.1.1.1192.168.2.40x2ab3No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST1.1.1.1192.168.2.40x541No error (0)smtp.google.com142.251.173.26A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST1.1.1.1192.168.2.40x541No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST1.1.1.1192.168.2.40x541No error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST1.1.1.1192.168.2.40x541No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:06.862607002 CEST1.1.1.1192.168.2.40x541No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:10.295814037 CEST1.1.1.1192.168.2.40xa3c7No error (0)vanaheim.cn195.133.13.231A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:26.885570049 CEST1.1.1.1192.168.2.40x122eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:26.894076109 CEST1.1.1.1192.168.2.40x9e6fNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:08:26.894076109 CEST1.1.1.1192.168.2.40x9e6fNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:09:53.630542994 CEST1.1.1.1192.168.2.40xd339No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:09:53.630542994 CEST1.1.1.1192.168.2.40xd339No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.650563002 CEST1.1.1.1192.168.2.40x3656No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.650563002 CEST1.1.1.1192.168.2.40x3656No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.650563002 CEST1.1.1.1192.168.2.40x3656No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:13.658704042 CEST1.1.1.1192.168.2.40x12f8No error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:33.682007074 CEST1.1.1.1192.168.2.40x460aNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:50.776566982 CEST1.1.1.1192.168.2.40x8d8bNo error (0)jotunheim.name80.66.75.11A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:53.825036049 CEST1.1.1.1192.168.2.40xf2dcNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Jul 6, 2024 09:10:53.825036049 CEST1.1.1.1192.168.2.40xf2dcNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:03:07:02
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:235'008 bytes
                                                                                          MD5 hash:B40B6B9BD2F7D17A65C72469EE2E2CFA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1770605242.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:1
                                                                                          Start time:03:07:06
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeuwztgf\
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:03:07:06
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:03:07:07
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lfkidgdf.exe" C:\Windows\SysWOW64\qeuwztgf\
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:03:07:07
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:03:07:07
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create qeuwztgf binPath= "C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d\"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0x6d0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:03:07:08
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:03:07:08
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description qeuwztgf "wifi internet conection"
                                                                                          Imagebase:0x6d0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:03:07:08
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:03:07:09
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start qeuwztgf
                                                                                          Imagebase:0x6d0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:03:07:09
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:03:07:09
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe /d"C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:12'696'064 bytes
                                                                                          MD5 hash:1D7112211B0E3F7C2ED96B0897990451
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.2160657446.0000000002AAD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.2160785378.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1856330126.0000000003120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:03:07:09
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x1560000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:13
                                                                                          Start time:03:07:09
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:14
                                                                                          Start time:03:07:15
                                                                                          Start date:06/07/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0x730000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:4%
                                                                                            Dynamic/Decrypted Code Coverage:2.2%
                                                                                            Signature Coverage:24.9%
                                                                                            Total number of Nodes:1529
                                                                                            Total number of Limit Nodes:19
                                                                                            execution_graph 14685 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14804 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14685->14804 14687 409a95 14688 409aa3 GetModuleHandleA GetModuleFileNameA 14687->14688 14693 40a3c7 14687->14693 14701 409ac4 14688->14701 14689 40a41c CreateThread WSAStartup 14976 40e52e 14689->14976 15826 40405e CreateEventA 14689->15826 14690 409afd GetCommandLineA 14702 409b22 14690->14702 14691 40a406 DeleteFileA 14691->14693 14694 40a40d 14691->14694 14693->14689 14693->14691 14693->14694 14696 40a3ed GetLastError 14693->14696 14694->14689 14695 40a445 14995 40eaaf 14695->14995 14696->14694 14698 40a3f8 Sleep 14696->14698 14698->14691 14699 40a44d 14999 401d96 14699->14999 14701->14690 14706 409c0c 14702->14706 14712 409b47 14702->14712 14703 40a457 15047 4080c9 14703->15047 14805 4096aa 14706->14805 14716 409b96 lstrlenA 14712->14716 14718 409b58 14712->14718 14713 40a1d2 14719 40a1e3 GetCommandLineA 14713->14719 14714 409c39 14717 40a167 GetModuleHandleA GetModuleFileNameA 14714->14717 14811 404280 CreateEventA 14714->14811 14716->14718 14721 409c05 ExitProcess 14717->14721 14722 40a189 14717->14722 14718->14721 14725 40675c 21 API calls 14718->14725 14746 40a205 14719->14746 14722->14721 14730 40a1b2 GetDriveTypeA 14722->14730 14728 409be3 14725->14728 14728->14721 14913 406a60 CreateFileA 14728->14913 14730->14721 14732 40a1c5 14730->14732 14957 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14732->14957 14738 40a491 14739 40a49f GetTickCount 14738->14739 14740 40a4be Sleep 14738->14740 14745 40a4b7 GetTickCount 14738->14745 15093 40c913 14738->15093 14739->14738 14739->14740 14740->14738 14742 409ca0 GetTempPathA 14743 409e3e 14742->14743 14744 409cba 14742->14744 14749 409e6b GetEnvironmentVariableA 14743->14749 14753 409e04 14743->14753 14866 4099d2 lstrcpyA 14744->14866 14745->14740 14750 40a285 lstrlenA 14746->14750 14762 40a239 14746->14762 14749->14753 14754 409e7d 14749->14754 14750->14762 14952 40ec2e 14753->14952 14755 4099d2 16 API calls 14754->14755 14756 409e9d 14755->14756 14756->14753 14761 409eb0 lstrcpyA lstrlenA 14756->14761 14759 409d5f 14932 406cc9 14759->14932 14760 40a3c2 14969 4098f2 14760->14969 14763 409ef4 14761->14763 14965 406ec3 14762->14965 14767 406dc2 6 API calls 14763->14767 14770 409f03 14763->14770 14766 40a35f 14766->14760 14766->14766 14774 40a37b 14766->14774 14767->14770 14768 40a39d StartServiceCtrlDispatcherA 14768->14760 14771 409f32 RegOpenKeyExA 14770->14771 14775 409f0e 14770->14775 14772 409f48 RegSetValueExA RegCloseKey 14771->14772 14778 409f70 14771->14778 14772->14778 14773 409cf6 14873 409326 14773->14873 14774->14768 14775->14770 14784 409f9d GetModuleHandleA GetModuleFileNameA 14778->14784 14779 409e0c DeleteFileA 14779->14743 14780 409dde GetFileAttributesExA 14780->14779 14781 409df7 14780->14781 14781->14753 14783 409dff 14781->14783 14942 4096ff 14783->14942 14786 409fc2 14784->14786 14787 40a093 14784->14787 14786->14787 14793 409ff1 GetDriveTypeA 14786->14793 14788 40a103 CreateProcessA 14787->14788 14789 40a0a4 wsprintfA 14787->14789 14790 40a13a 14788->14790 14791 40a12a DeleteFileA 14788->14791 14948 402544 14789->14948 14790->14753 14796 4096ff 3 API calls 14790->14796 14791->14790 14793->14787 14795 40a00d 14793->14795 14799 40a02d lstrcatA 14795->14799 14796->14753 14800 40a046 14799->14800 14801 40a052 lstrcatA 14800->14801 14802 40a064 lstrcatA 14800->14802 14801->14802 14802->14787 14803 40a081 lstrcatA 14802->14803 14803->14787 14804->14687 14806 4096b9 14805->14806 15196 4073ff 14806->15196 14808 4096e2 14809 4096f7 14808->14809 15216 40704c 14808->15216 14809->14713 14809->14714 14812 4042a5 14811->14812 14813 40429d 14811->14813 15241 403ecd 14812->15241 14813->14717 14838 40675c 14813->14838 14815 4042b0 15245 404000 14815->15245 14817 4043c1 CloseHandle 14817->14813 14818 4042b6 14818->14813 14818->14817 15251 403f18 WriteFile 14818->15251 14823 4043ba CloseHandle 14823->14817 14824 404318 14825 403f18 4 API calls 14824->14825 14826 404331 14825->14826 14827 403f18 4 API calls 14826->14827 14828 40434a 14827->14828 15259 40ebcc GetProcessHeap RtlAllocateHeap 14828->15259 14830 404350 14832 403f18 4 API calls 14830->14832 14833 404389 14832->14833 14834 40ec2e codecvt 4 API calls 14833->14834 14835 40438f 14834->14835 14836 403f8c 4 API calls 14835->14836 14837 40439f CloseHandle CloseHandle 14836->14837 14837->14813 14839 406784 CreateFileA 14838->14839 14840 40677a SetFileAttributesA 14838->14840 14841 4067a4 CreateFileA 14839->14841 14842 4067b5 14839->14842 14840->14839 14841->14842 14843 4067c5 14842->14843 14844 4067ba SetFileAttributesA 14842->14844 14845 406977 14843->14845 14846 4067cf GetFileSize 14843->14846 14844->14843 14845->14717 14845->14742 14845->14743 14847 4067e5 14846->14847 14865 406965 14846->14865 14848 4067ed ReadFile 14847->14848 14847->14865 14850 406811 SetFilePointer 14848->14850 14848->14865 14849 40696e FindCloseChangeNotification 14849->14845 14851 40682a ReadFile 14850->14851 14850->14865 14852 406848 SetFilePointer 14851->14852 14851->14865 14853 406867 14852->14853 14852->14865 14854 4068d5 14853->14854 14855 406878 ReadFile 14853->14855 14854->14849 14856 40ebcc 4 API calls 14854->14856 14858 406891 14855->14858 14860 4068d0 14855->14860 14857 4068f8 14856->14857 14859 406900 SetFilePointer 14857->14859 14857->14865 14858->14855 14858->14860 14861 40695a 14859->14861 14862 40690d ReadFile 14859->14862 14860->14854 14864 40ec2e codecvt 4 API calls 14861->14864 14862->14861 14863 406922 14862->14863 14863->14849 14864->14865 14865->14849 14867 4099eb 14866->14867 14868 409a2f lstrcatA 14867->14868 14869 40ee2a 14868->14869 14870 409a4b lstrcatA 14869->14870 14871 406a60 13 API calls 14870->14871 14872 409a60 14871->14872 14872->14743 14872->14773 14926 406dc2 14872->14926 15265 401910 14873->15265 14876 40934a GetModuleHandleA GetModuleFileNameA 14878 40937f 14876->14878 14879 4093a4 14878->14879 14880 4093d9 14878->14880 14881 4093c3 wsprintfA 14879->14881 14882 409401 wsprintfA 14880->14882 14884 409415 14881->14884 14882->14884 14883 4094a0 15267 406edd 14883->15267 14884->14883 14887 406cc9 5 API calls 14884->14887 14886 4094ac 14888 40962f 14886->14888 14891 4094e8 RegOpenKeyExA 14886->14891 14895 409439 14887->14895 14889 409639 VirtualProtect 14888->14889 14890 40967b 14888->14890 14892 40966d 14889->14892 14912 4095d6 14889->14912 15275 4091eb 14890->15275 14893 409502 14891->14893 14894 4094fb 14891->14894 14892->14890 14897 40951f RegQueryValueExA 14893->14897 14894->14888 14900 40958a 14894->14900 15280 40ef1e lstrlenA 14895->15280 14901 409530 14897->14901 14902 409539 14897->14902 14898 40960c 14898->14779 14898->14780 14900->14890 14904 409593 14900->14904 14905 40956e RegCloseKey 14901->14905 14906 409556 RegQueryValueExA 14902->14906 14903 409462 14907 40947e wsprintfA 14903->14907 14904->14898 15282 40f0e4 14904->15282 14905->14894 14906->14901 14906->14905 14907->14883 14909 4095bb 14909->14898 14910 4095c2 14909->14910 15289 4018e0 VirtualProtect 14910->15289 14912->14898 14914 406b8c GetLastError 14913->14914 14915 406a8f GetDiskFreeSpaceA 14913->14915 14917 406b86 14914->14917 14916 406ac5 14915->14916 14925 406ad7 14915->14925 15315 40eb0e 14916->15315 14917->14721 14921 406b56 FindCloseChangeNotification 14921->14917 14924 406b65 GetLastError CloseHandle 14921->14924 14922 406b36 GetLastError CloseHandle 14923 406b7f DeleteFileA 14922->14923 14923->14917 14924->14923 15309 406987 14925->15309 14927 406e24 14926->14927 14928 406dd7 14926->14928 14927->14759 14929 406cc9 5 API calls 14928->14929 14930 406ddc 14929->14930 14930->14927 14930->14930 14931 406e02 GetVolumeInformationA 14930->14931 14931->14927 14933 406cdc GetModuleHandleA GetProcAddress 14932->14933 14934 406dbe lstrcpyA lstrcatA lstrcatA 14932->14934 14935 406d12 GetSystemDirectoryA 14933->14935 14936 406cfd 14933->14936 14934->14773 14937 406d27 GetWindowsDirectoryA 14935->14937 14938 406d1e 14935->14938 14936->14935 14939 406d8b 14936->14939 14940 406d42 14937->14940 14938->14937 14938->14939 14939->14934 14939->14939 14941 40ef1e lstrlenA 14940->14941 14941->14939 14943 402544 14942->14943 14944 40972d RegOpenKeyExA 14943->14944 14945 409740 14944->14945 14946 409765 14944->14946 14947 40974f RegDeleteValueA RegCloseKey 14945->14947 14946->14753 14947->14946 14949 402554 lstrcatA 14948->14949 14950 40ee2a 14949->14950 14951 40a0ec lstrcatA 14950->14951 14951->14788 14953 40ec37 14952->14953 14954 40a15d 14952->14954 15323 40eba0 14953->15323 14954->14717 14954->14721 14958 402544 14957->14958 14959 40919e wsprintfA 14958->14959 14960 4091bb 14959->14960 15326 409064 GetTempPathA 14960->15326 14963 4091d5 ShellExecuteA 14964 4091e7 14963->14964 14964->14721 14966 406ed5 14965->14966 14967 406ecc 14965->14967 14966->14766 14968 406e36 2 API calls 14967->14968 14968->14966 14970 4098f6 14969->14970 14971 404280 30 API calls 14970->14971 14972 409904 Sleep 14970->14972 14974 409915 14970->14974 14971->14970 14972->14970 14972->14974 14973 409947 14973->14693 14974->14973 15333 40977c 14974->15333 15355 40dd05 GetTickCount 14976->15355 14978 40e538 15362 40dbcf 14978->15362 14980 40e544 14981 40e555 GetFileSize 14980->14981 14985 40e5b8 14980->14985 14982 40e5b1 CloseHandle 14981->14982 14983 40e566 14981->14983 14982->14985 15372 40db2e 14983->15372 15381 40e3ca RegOpenKeyExA 14985->15381 14987 40e576 ReadFile 14987->14982 14988 40e58d 14987->14988 15376 40e332 14988->15376 14991 40e5f2 14993 40e3ca 19 API calls 14991->14993 14994 40e629 14991->14994 14993->14994 14994->14695 14996 40eabe 14995->14996 14998 40eaba 14995->14998 14997 40dd05 6 API calls 14996->14997 14996->14998 14997->14998 14998->14699 15000 40ee2a 14999->15000 15001 401db4 GetVersionExA 15000->15001 15002 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15001->15002 15004 401e24 15002->15004 15005 401e16 GetCurrentProcess 15002->15005 15434 40e819 15004->15434 15005->15004 15007 401e3d 15008 40e819 11 API calls 15007->15008 15009 401e4e 15008->15009 15010 401e77 15009->15010 15441 40df70 15009->15441 15450 40ea84 15010->15450 15014 401e6c 15016 40df70 12 API calls 15014->15016 15015 40e819 11 API calls 15017 401e93 15015->15017 15016->15010 15454 40199c inet_addr LoadLibraryA 15017->15454 15020 40e819 11 API calls 15021 401eb9 15020->15021 15022 401ed8 15021->15022 15024 40f04e 4 API calls 15021->15024 15023 40e819 11 API calls 15022->15023 15025 401eee 15023->15025 15026 401ec9 15024->15026 15028 401f0a 15025->15028 15467 401b71 15025->15467 15027 40ea84 30 API calls 15026->15027 15027->15022 15030 40e819 11 API calls 15028->15030 15032 401f23 15030->15032 15031 401efd 15033 40ea84 30 API calls 15031->15033 15034 401f3f 15032->15034 15471 401bdf 15032->15471 15033->15028 15035 40e819 11 API calls 15034->15035 15037 401f5e 15035->15037 15040 401f77 15037->15040 15041 40ea84 30 API calls 15037->15041 15039 40ea84 30 API calls 15039->15034 15478 4030b5 15040->15478 15041->15040 15045 406ec3 2 API calls 15046 401f8e GetTickCount 15045->15046 15046->14703 15048 406ec3 2 API calls 15047->15048 15049 4080eb 15048->15049 15050 4080f9 15049->15050 15051 4080ef 15049->15051 15053 40704c 16 API calls 15050->15053 15526 407ee6 15051->15526 15055 408110 15053->15055 15054 408269 CreateThread 15072 405e6c 15054->15072 15856 40877e 15054->15856 15057 408156 RegOpenKeyExA 15055->15057 15058 4080f4 15055->15058 15056 40675c 21 API calls 15062 408244 15056->15062 15057->15058 15059 40816d RegQueryValueExA 15057->15059 15058->15054 15058->15056 15060 4081f7 15059->15060 15061 40818d 15059->15061 15063 40820d RegCloseKey 15060->15063 15065 40ec2e codecvt 4 API calls 15060->15065 15061->15060 15066 40ebcc 4 API calls 15061->15066 15062->15054 15064 40ec2e codecvt 4 API calls 15062->15064 15063->15058 15064->15054 15071 4081dd 15065->15071 15067 4081a0 15066->15067 15067->15063 15068 4081aa RegQueryValueExA 15067->15068 15068->15060 15069 4081c4 15068->15069 15070 40ebcc 4 API calls 15069->15070 15070->15071 15071->15063 15594 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15072->15594 15074 405e71 15595 40e654 15074->15595 15076 405ec1 15077 403132 15076->15077 15078 40df70 12 API calls 15077->15078 15079 40313b 15078->15079 15080 40c125 15079->15080 15606 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15080->15606 15082 40c12d 15083 40e654 13 API calls 15082->15083 15084 40c2bd 15083->15084 15085 40e654 13 API calls 15084->15085 15086 40c2c9 15085->15086 15087 40e654 13 API calls 15086->15087 15088 40a47a 15087->15088 15089 408db1 15088->15089 15090 408dbc 15089->15090 15091 40e654 13 API calls 15090->15091 15092 408dec Sleep 15091->15092 15092->14738 15094 40c92f 15093->15094 15095 40c93c 15094->15095 15607 40c517 15094->15607 15097 40ca2b 15095->15097 15098 40e819 11 API calls 15095->15098 15097->14738 15099 40c96a 15098->15099 15100 40e819 11 API calls 15099->15100 15101 40c97d 15100->15101 15102 40e819 11 API calls 15101->15102 15103 40c990 15102->15103 15104 40c9aa 15103->15104 15105 40ebcc 4 API calls 15103->15105 15104->15097 15624 402684 15104->15624 15105->15104 15110 40ca26 15631 40c8aa 15110->15631 15113 40ca44 15114 40ca4b closesocket 15113->15114 15115 40ca83 15113->15115 15114->15110 15116 40ea84 30 API calls 15115->15116 15117 40caac 15116->15117 15118 40f04e 4 API calls 15117->15118 15119 40cab2 15118->15119 15120 40ea84 30 API calls 15119->15120 15121 40caca 15120->15121 15122 40ea84 30 API calls 15121->15122 15123 40cad9 15122->15123 15639 40c65c 15123->15639 15126 40cb60 closesocket 15126->15097 15128 40dad2 closesocket 15129 40e318 23 API calls 15128->15129 15129->15097 15130 40df4c 20 API calls 15191 40cb70 15130->15191 15135 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15135->15191 15136 40e654 13 API calls 15136->15191 15139 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15139->15191 15143 40ea84 30 API calls 15143->15191 15144 40d569 closesocket Sleep 15686 40e318 15144->15686 15145 40d815 wsprintfA 15145->15191 15146 40cc1c GetTempPathA 15146->15191 15147 40c517 23 API calls 15147->15191 15149 407ead 6 API calls 15149->15191 15150 40e8a1 30 API calls 15150->15191 15151 40d582 ExitProcess 15152 40cfe3 GetSystemDirectoryA 15152->15191 15153 40cfad GetEnvironmentVariableA 15153->15191 15154 40675c 21 API calls 15154->15191 15155 40d027 GetSystemDirectoryA 15155->15191 15156 40d105 lstrcatA 15156->15191 15157 40ef1e lstrlenA 15157->15191 15158 40cc9f CreateFileA 15160 40ccc6 WriteFile 15158->15160 15158->15191 15159 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15159->15191 15162 40cdcc CloseHandle 15160->15162 15163 40cced CloseHandle 15160->15163 15161 40d15b CreateFileA 15164 40d182 WriteFile CloseHandle 15161->15164 15161->15191 15162->15191 15170 40cd2f 15163->15170 15164->15191 15165 40cd16 wsprintfA 15165->15170 15166 40d149 SetFileAttributesA 15166->15161 15167 40d36e GetEnvironmentVariableA 15167->15191 15168 40d1bf SetFileAttributesA 15168->15191 15169 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15169->15191 15170->15165 15668 407fcf 15170->15668 15171 40d22d GetEnvironmentVariableA 15171->15191 15172 40d3af lstrcatA 15174 40d3f2 CreateFileA 15172->15174 15172->15191 15177 40d415 WriteFile CloseHandle 15174->15177 15174->15191 15176 407fcf 64 API calls 15176->15191 15177->15191 15178 40cd81 WaitForSingleObject CloseHandle CloseHandle 15180 40f04e 4 API calls 15178->15180 15179 40cda5 15181 407ee6 64 API calls 15179->15181 15180->15179 15184 40cdbd DeleteFileA 15181->15184 15182 40d3e0 SetFileAttributesA 15182->15174 15183 40d26e lstrcatA 15187 40d2b1 CreateFileA 15183->15187 15183->15191 15184->15191 15185 40d4b1 CreateProcessA 15186 40d4e8 CloseHandle CloseHandle 15185->15186 15185->15191 15186->15191 15190 40d2d8 WriteFile CloseHandle 15187->15190 15187->15191 15188 407ee6 64 API calls 15188->15191 15189 40d452 SetFileAttributesA 15189->15191 15190->15191 15191->15128 15191->15130 15191->15135 15191->15136 15191->15139 15191->15143 15191->15144 15191->15145 15191->15146 15191->15147 15191->15149 15191->15150 15191->15152 15191->15153 15191->15154 15191->15155 15191->15156 15191->15157 15191->15158 15191->15159 15191->15161 15191->15166 15191->15167 15191->15168 15191->15169 15191->15171 15191->15172 15191->15174 15191->15176 15191->15182 15191->15183 15191->15185 15191->15187 15191->15188 15191->15189 15193 40d29f SetFileAttributesA 15191->15193 15195 40d31d SetFileAttributesA 15191->15195 15647 40c75d 15191->15647 15659 407e2f 15191->15659 15681 407ead 15191->15681 15691 4031d0 15191->15691 15708 403c09 15191->15708 15718 403a00 15191->15718 15722 40e7b4 15191->15722 15725 40c06c 15191->15725 15731 406f5f GetUserNameA 15191->15731 15742 40e854 15191->15742 15752 407dd6 15191->15752 15193->15187 15195->15191 15197 40741b 15196->15197 15198 406dc2 6 API calls 15197->15198 15199 40743f 15198->15199 15200 407469 RegOpenKeyExA 15199->15200 15201 4077f9 15200->15201 15212 407487 ___ascii_stricmp 15200->15212 15201->14808 15202 407703 RegEnumKeyA 15203 407714 RegCloseKey 15202->15203 15202->15212 15203->15201 15204 40f1a5 lstrlenA 15204->15212 15205 4074d2 RegOpenKeyExA 15205->15212 15206 40772c 15208 407742 RegCloseKey 15206->15208 15209 40774b 15206->15209 15207 407521 RegQueryValueExA 15207->15212 15208->15209 15210 4077ec RegCloseKey 15209->15210 15210->15201 15211 4076e4 RegCloseKey 15211->15212 15212->15202 15212->15204 15212->15205 15212->15206 15212->15207 15212->15211 15213 407769 15212->15213 15215 40777e GetFileAttributesExA 15212->15215 15214 4077e3 RegCloseKey 15213->15214 15214->15210 15215->15213 15217 407073 15216->15217 15218 4070b9 RegOpenKeyExA 15217->15218 15219 4070d0 15218->15219 15233 4071b8 15218->15233 15220 406dc2 6 API calls 15219->15220 15223 4070d5 15220->15223 15221 40719b RegEnumValueA 15222 4071af RegCloseKey 15221->15222 15221->15223 15222->15233 15223->15221 15225 4071d0 15223->15225 15239 40f1a5 lstrlenA 15223->15239 15226 407205 RegCloseKey 15225->15226 15227 407227 15225->15227 15226->15233 15228 4072b8 ___ascii_stricmp 15227->15228 15229 40728e RegCloseKey 15227->15229 15230 4072cd RegCloseKey 15228->15230 15231 4072dd 15228->15231 15229->15233 15230->15233 15232 407311 RegCloseKey 15231->15232 15235 407335 15231->15235 15232->15233 15233->14809 15234 4073d5 RegCloseKey 15236 4073e4 15234->15236 15235->15234 15237 40737e GetFileAttributesExA 15235->15237 15238 407397 15235->15238 15237->15238 15238->15234 15240 40f1c3 15239->15240 15240->15223 15242 403edc 15241->15242 15244 403ee2 15241->15244 15243 406dc2 6 API calls 15242->15243 15243->15244 15244->14815 15246 40400b CreateFileA 15245->15246 15247 40402c GetLastError 15246->15247 15249 404052 15246->15249 15248 404037 15247->15248 15247->15249 15248->15249 15250 404041 Sleep 15248->15250 15249->14818 15250->15246 15250->15249 15252 403f7c 15251->15252 15253 403f4e GetLastError 15251->15253 15255 403f8c ReadFile 15252->15255 15253->15252 15254 403f5b WaitForSingleObject GetOverlappedResult 15253->15254 15254->15252 15256 403ff0 15255->15256 15257 403fc2 GetLastError 15255->15257 15256->14823 15256->14824 15257->15256 15258 403fcf WaitForSingleObject GetOverlappedResult 15257->15258 15258->15256 15262 40eb74 15259->15262 15263 40eb7b GetProcessHeap HeapSize 15262->15263 15264 40eb93 15262->15264 15263->15264 15264->14830 15266 401924 GetVersionExA 15265->15266 15266->14876 15268 406eef AllocateAndInitializeSid 15267->15268 15274 406f55 15267->15274 15269 406f1c CheckTokenMembership 15268->15269 15272 406f44 15268->15272 15270 406f3b FreeSid 15269->15270 15271 406f2e 15269->15271 15270->15272 15271->15270 15272->15274 15294 406e36 GetUserNameW 15272->15294 15274->14886 15277 40920e 15275->15277 15279 409308 15275->15279 15276 4092f1 Sleep 15276->15277 15277->15276 15277->15277 15278 4092bf ShellExecuteA 15277->15278 15277->15279 15278->15277 15278->15279 15279->14898 15281 40ef32 15280->15281 15281->14903 15283 40f0f1 15282->15283 15284 40f0ed 15282->15284 15285 40f119 15283->15285 15286 40f0fa lstrlenA SysAllocStringByteLen 15283->15286 15284->14909 15288 40f11c MultiByteToWideChar 15285->15288 15287 40f117 15286->15287 15286->15288 15287->14909 15288->15287 15290 4018f9 15289->15290 15291 4018fd 15289->15291 15290->14912 15297 401280 15291->15297 15293 401908 15293->14912 15295 406e97 15294->15295 15296 406e5f LookupAccountNameW 15294->15296 15295->15274 15296->15295 15298 4012e1 15297->15298 15299 4016f9 GetLastError 15298->15299 15306 4013a8 15298->15306 15300 401699 15299->15300 15300->15293 15301 401570 lstrlenW 15301->15306 15302 4015be GetStartupInfoW 15302->15306 15303 4015ff CreateProcessWithLogonW 15304 4016bf GetLastError 15303->15304 15305 40163f WaitForSingleObject 15303->15305 15304->15300 15305->15306 15307 401659 CloseHandle 15305->15307 15306->15300 15306->15301 15306->15302 15306->15303 15308 401668 CloseHandle 15306->15308 15307->15306 15308->15306 15311 4069b9 WriteFile 15309->15311 15312 406a3c 15311->15312 15314 4069ff 15311->15314 15312->14921 15312->14922 15313 406a10 WriteFile 15313->15312 15313->15314 15314->15312 15314->15313 15316 40eb17 15315->15316 15317 40eb21 15315->15317 15319 40eae4 15316->15319 15317->14925 15320 40eb02 GetProcAddress 15319->15320 15321 40eaed LoadLibraryA 15319->15321 15320->15317 15321->15320 15322 40eb01 15321->15322 15322->15317 15324 40eba7 GetProcessHeap HeapSize 15323->15324 15325 40ebbf GetProcessHeap HeapFree 15323->15325 15324->15325 15325->14954 15327 40908d 15326->15327 15328 4090e2 wsprintfA 15327->15328 15329 40ee2a 15328->15329 15330 4090fd CreateFileA 15329->15330 15331 40911a lstrlenA WriteFile CloseHandle 15330->15331 15332 40913f 15330->15332 15331->15332 15332->14963 15332->14964 15334 40ee2a 15333->15334 15335 409794 CreateProcessA 15334->15335 15336 4097c2 15335->15336 15337 4097bb 15335->15337 15338 4097d4 GetThreadContext 15336->15338 15337->14973 15339 409801 15338->15339 15340 4097f5 15338->15340 15347 40637c 15339->15347 15341 4097f6 TerminateProcess 15340->15341 15341->15337 15343 409816 15343->15341 15344 40981e WriteProcessMemory 15343->15344 15344->15340 15345 40983b SetThreadContext 15344->15345 15345->15340 15346 409858 ResumeThread 15345->15346 15346->15337 15348 406386 15347->15348 15349 40638a GetModuleHandleA VirtualAlloc 15347->15349 15348->15343 15350 4063b6 15349->15350 15354 4063f5 15349->15354 15351 4063be VirtualAllocEx 15350->15351 15352 4063d6 15351->15352 15351->15354 15353 4063df WriteProcessMemory 15352->15353 15353->15354 15354->15343 15356 40dd41 InterlockedExchange 15355->15356 15357 40dd20 GetCurrentThreadId 15356->15357 15358 40dd4a 15356->15358 15359 40dd53 GetCurrentThreadId 15357->15359 15360 40dd2e GetTickCount 15357->15360 15358->15359 15359->14978 15360->15358 15361 40dd39 Sleep 15360->15361 15361->15356 15363 40dbf0 15362->15363 15395 40db67 GetEnvironmentVariableA 15363->15395 15365 40dc19 15366 40dcda 15365->15366 15367 40db67 3 API calls 15365->15367 15366->14980 15368 40dc5c 15367->15368 15368->15366 15369 40db67 3 API calls 15368->15369 15370 40dc9b 15369->15370 15370->15366 15371 40db67 3 API calls 15370->15371 15371->15366 15373 40db55 15372->15373 15374 40db3a 15372->15374 15373->14982 15373->14987 15399 40ebed 15374->15399 15408 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15376->15408 15378 40e3be 15378->14982 15379 40e342 15379->15378 15411 40de24 15379->15411 15382 40e528 15381->15382 15383 40e3f4 15381->15383 15382->14991 15384 40e434 RegQueryValueExA 15383->15384 15385 40e458 15384->15385 15386 40e51d RegCloseKey 15384->15386 15387 40e46e RegQueryValueExA 15385->15387 15386->15382 15387->15385 15388 40e488 15387->15388 15388->15386 15389 40db2e 8 API calls 15388->15389 15390 40e499 15389->15390 15390->15386 15391 40e4b9 RegQueryValueExA 15390->15391 15392 40e4e8 15390->15392 15391->15390 15391->15392 15392->15386 15393 40e332 14 API calls 15392->15393 15394 40e513 15393->15394 15394->15386 15396 40db89 lstrcpyA CreateFileA 15395->15396 15397 40dbca 15395->15397 15396->15365 15397->15365 15400 40ec01 15399->15400 15401 40ebf6 15399->15401 15402 40eba0 codecvt 2 API calls 15400->15402 15403 40ebcc 4 API calls 15401->15403 15405 40ec0a GetProcessHeap HeapReAlloc 15402->15405 15404 40ebfe 15403->15404 15404->15373 15406 40eb74 2 API calls 15405->15406 15407 40ec28 15406->15407 15407->15373 15422 40eb41 15408->15422 15412 40de3a 15411->15412 15418 40de4e 15412->15418 15426 40dd84 15412->15426 15415 40de9e 15416 40ebed 8 API calls 15415->15416 15415->15418 15420 40def6 15416->15420 15417 40de76 15430 40ddcf 15417->15430 15418->15379 15420->15418 15421 40ddcf lstrcmpA 15420->15421 15421->15418 15423 40eb54 15422->15423 15424 40eb4a 15422->15424 15423->15379 15425 40eae4 2 API calls 15424->15425 15425->15423 15427 40dd96 15426->15427 15428 40ddc5 15426->15428 15427->15428 15429 40ddad lstrcmpiA 15427->15429 15428->15415 15428->15417 15429->15427 15429->15428 15431 40de20 15430->15431 15432 40dddd 15430->15432 15431->15418 15432->15431 15433 40ddfa lstrcmpA 15432->15433 15433->15432 15435 40dd05 6 API calls 15434->15435 15436 40e821 15435->15436 15437 40dd84 lstrcmpiA 15436->15437 15438 40e82c 15437->15438 15439 40e844 15438->15439 15482 402480 15438->15482 15439->15007 15442 40dd05 6 API calls 15441->15442 15443 40df7c 15442->15443 15444 40dd84 lstrcmpiA 15443->15444 15448 40df89 15444->15448 15445 40dfc4 15445->15014 15446 40ddcf lstrcmpA 15446->15448 15447 40ec2e codecvt 4 API calls 15447->15448 15448->15445 15448->15446 15448->15447 15449 40dd84 lstrcmpiA 15448->15449 15449->15448 15451 40ea98 15450->15451 15491 40e8a1 15451->15491 15453 401e84 15453->15015 15455 4019d5 GetProcAddress GetProcAddress GetProcAddress 15454->15455 15456 4019ce 15454->15456 15457 401ab3 FreeLibrary 15455->15457 15458 401a04 15455->15458 15456->15020 15457->15456 15458->15457 15459 401a14 GetProcessHeap 15458->15459 15459->15456 15461 401a2e HeapAlloc 15459->15461 15461->15456 15462 401a42 15461->15462 15463 401a52 HeapReAlloc 15462->15463 15465 401a62 15462->15465 15463->15465 15464 401aa1 FreeLibrary 15464->15456 15465->15464 15466 401a96 HeapFree 15465->15466 15466->15464 15519 401ac3 LoadLibraryA 15467->15519 15470 401bcf 15470->15031 15472 401ac3 12 API calls 15471->15472 15473 401c09 15472->15473 15474 401c41 15473->15474 15475 401c0d GetComputerNameA 15473->15475 15474->15039 15476 401c45 GetVolumeInformationA 15475->15476 15477 401c1f 15475->15477 15476->15474 15477->15474 15477->15476 15479 40ee2a 15478->15479 15480 4030d0 gethostname gethostbyname 15479->15480 15481 401f82 15480->15481 15481->15045 15481->15046 15485 402419 lstrlenA 15482->15485 15484 402491 15484->15439 15486 402474 15485->15486 15487 40243d lstrlenA 15485->15487 15486->15484 15488 402464 lstrlenA 15487->15488 15489 40244e lstrcmpiA 15487->15489 15488->15486 15488->15487 15489->15488 15490 40245c 15489->15490 15490->15486 15490->15488 15492 40dd05 6 API calls 15491->15492 15493 40e8b4 15492->15493 15494 40dd84 lstrcmpiA 15493->15494 15495 40e8c0 15494->15495 15496 40e90a 15495->15496 15497 40e8c8 lstrcpynA 15495->15497 15499 402419 4 API calls 15496->15499 15507 40ea27 15496->15507 15498 40e8f5 15497->15498 15512 40df4c 15498->15512 15500 40e926 lstrlenA lstrlenA 15499->15500 15501 40e96a 15500->15501 15502 40e94c lstrlenA 15500->15502 15506 40ebcc 4 API calls 15501->15506 15501->15507 15502->15501 15504 40e901 15505 40dd84 lstrcmpiA 15504->15505 15505->15496 15508 40e98f 15506->15508 15507->15453 15508->15507 15509 40df4c 20 API calls 15508->15509 15510 40ea1e 15509->15510 15511 40ec2e codecvt 4 API calls 15510->15511 15511->15507 15513 40dd05 6 API calls 15512->15513 15514 40df51 15513->15514 15515 40f04e 4 API calls 15514->15515 15516 40df58 15515->15516 15517 40de24 10 API calls 15516->15517 15518 40df63 15517->15518 15518->15504 15520 401ae2 GetProcAddress 15519->15520 15523 401b68 GetComputerNameA GetVolumeInformationA 15519->15523 15521 401af5 15520->15521 15520->15523 15522 40ebed 8 API calls 15521->15522 15524 401b29 15521->15524 15522->15521 15523->15470 15524->15523 15524->15524 15525 40ec2e codecvt 4 API calls 15524->15525 15525->15523 15527 406ec3 2 API calls 15526->15527 15528 407ef4 15527->15528 15529 4073ff 17 API calls 15528->15529 15530 407fc9 15528->15530 15531 407f16 15529->15531 15530->15058 15531->15530 15539 407809 GetUserNameA 15531->15539 15533 407f63 15533->15530 15534 40ef1e lstrlenA 15533->15534 15535 407fa6 15534->15535 15536 40ef1e lstrlenA 15535->15536 15537 407fb7 15536->15537 15563 407a95 RegOpenKeyExA 15537->15563 15540 40783d LookupAccountNameA 15539->15540 15541 407a8d 15539->15541 15540->15541 15542 407874 GetLengthSid GetFileSecurityA 15540->15542 15541->15533 15542->15541 15543 4078a8 GetSecurityDescriptorOwner 15542->15543 15544 4078c5 EqualSid 15543->15544 15545 40791d GetSecurityDescriptorDacl 15543->15545 15544->15545 15546 4078dc LocalAlloc 15544->15546 15545->15541 15558 407941 15545->15558 15546->15545 15547 4078ef InitializeSecurityDescriptor 15546->15547 15549 407916 LocalFree 15547->15549 15550 4078fb SetSecurityDescriptorOwner 15547->15550 15548 40795b GetAce 15548->15558 15549->15545 15550->15549 15551 40790b SetFileSecurityA 15550->15551 15551->15549 15552 407980 EqualSid 15552->15558 15553 407a3d 15553->15541 15556 407a43 LocalAlloc 15553->15556 15554 4079be EqualSid 15554->15558 15555 40799d DeleteAce 15555->15558 15556->15541 15557 407a56 InitializeSecurityDescriptor 15556->15557 15559 407a62 SetSecurityDescriptorDacl 15557->15559 15560 407a86 LocalFree 15557->15560 15558->15541 15558->15548 15558->15552 15558->15553 15558->15554 15558->15555 15559->15560 15561 407a73 SetFileSecurityA 15559->15561 15560->15541 15561->15560 15562 407a83 15561->15562 15562->15560 15564 407ac4 15563->15564 15565 407acb GetUserNameA 15563->15565 15564->15530 15566 407da7 RegCloseKey 15565->15566 15567 407aed LookupAccountNameA 15565->15567 15566->15564 15567->15566 15568 407b24 RegGetKeySecurity 15567->15568 15568->15566 15569 407b49 GetSecurityDescriptorOwner 15568->15569 15570 407b63 EqualSid 15569->15570 15571 407bb8 GetSecurityDescriptorDacl 15569->15571 15570->15571 15572 407b74 LocalAlloc 15570->15572 15573 407da6 15571->15573 15580 407bdc 15571->15580 15572->15571 15574 407b8a InitializeSecurityDescriptor 15572->15574 15573->15566 15575 407bb1 LocalFree 15574->15575 15576 407b96 SetSecurityDescriptorOwner 15574->15576 15575->15571 15576->15575 15578 407ba6 RegSetKeySecurity 15576->15578 15577 407bf8 GetAce 15577->15580 15578->15575 15579 407c1d EqualSid 15579->15580 15580->15573 15580->15577 15580->15579 15581 407cd9 15580->15581 15582 407c5f EqualSid 15580->15582 15583 407c3a DeleteAce 15580->15583 15581->15573 15584 407d5a LocalAlloc 15581->15584 15585 407cf2 RegOpenKeyExA 15581->15585 15582->15580 15583->15580 15584->15573 15586 407d70 InitializeSecurityDescriptor 15584->15586 15585->15584 15591 407d0f 15585->15591 15587 407d7c SetSecurityDescriptorDacl 15586->15587 15588 407d9f LocalFree 15586->15588 15587->15588 15589 407d8c RegSetKeySecurity 15587->15589 15588->15573 15589->15588 15590 407d9c 15589->15590 15590->15588 15592 407d43 RegSetValueExA 15591->15592 15592->15584 15593 407d54 15592->15593 15593->15584 15594->15074 15596 40dd05 6 API calls 15595->15596 15597 40e65f 15596->15597 15598 40e6a5 15597->15598 15600 40e68c lstrcmpA 15597->15600 15599 40ebcc 4 API calls 15598->15599 15601 40e6f5 15598->15601 15602 40e6b0 15599->15602 15600->15597 15603 40e71d lstrcmpA 15601->15603 15604 40e6b7 15601->15604 15602->15601 15602->15604 15605 40e6e0 lstrcpynA 15602->15605 15603->15601 15604->15076 15605->15601 15606->15082 15608 40c525 15607->15608 15609 40c532 15607->15609 15608->15609 15611 40ec2e codecvt 4 API calls 15608->15611 15610 40c548 15609->15610 15759 40e7ff 15609->15759 15612 40c54f 15610->15612 15614 40e7ff lstrcmpiA 15610->15614 15611->15609 15612->15095 15615 40c615 15614->15615 15615->15612 15616 40ebcc 4 API calls 15615->15616 15616->15612 15617 40c5d1 15620 40ebcc 4 API calls 15617->15620 15619 40e819 11 API calls 15621 40c5b7 15619->15621 15620->15612 15622 40f04e 4 API calls 15621->15622 15623 40c5bf 15622->15623 15623->15610 15623->15617 15625 402692 inet_addr 15624->15625 15626 40268e 15624->15626 15625->15626 15627 40269e gethostbyname 15625->15627 15628 40f428 15626->15628 15627->15626 15762 40f315 15628->15762 15633 40c8d2 15631->15633 15632 40c907 15632->15097 15633->15632 15634 40c517 23 API calls 15633->15634 15634->15632 15635 40f43e 15636 40f473 recv 15635->15636 15637 40f458 15636->15637 15638 40f47c 15636->15638 15637->15636 15637->15638 15638->15113 15640 40c670 15639->15640 15641 40c67d 15639->15641 15643 40ebcc 4 API calls 15640->15643 15642 40c699 15641->15642 15644 40ebcc 4 API calls 15641->15644 15645 40c6f3 15642->15645 15646 40c73c send 15642->15646 15643->15641 15644->15642 15645->15126 15645->15191 15646->15645 15648 40c770 15647->15648 15649 40c77d 15647->15649 15651 40ebcc 4 API calls 15648->15651 15650 40c799 15649->15650 15652 40ebcc 4 API calls 15649->15652 15653 40c7b5 15650->15653 15654 40ebcc 4 API calls 15650->15654 15651->15649 15652->15650 15655 40f43e recv 15653->15655 15654->15653 15656 40c7cb 15655->15656 15657 40f43e recv 15656->15657 15658 40c7d3 15656->15658 15657->15658 15658->15191 15775 407db7 15659->15775 15662 40f04e 4 API calls 15664 407e4c 15662->15664 15663 40f04e 4 API calls 15665 407e96 15663->15665 15666 40f04e 4 API calls 15664->15666 15667 407e70 15664->15667 15665->15191 15666->15667 15667->15663 15667->15665 15669 406ec3 2 API calls 15668->15669 15670 407fdd 15669->15670 15671 4073ff 17 API calls 15670->15671 15672 4080c2 CreateProcessA 15670->15672 15673 407fff 15671->15673 15672->15178 15672->15179 15673->15672 15674 407809 21 API calls 15673->15674 15675 40804d 15674->15675 15675->15672 15676 40ef1e lstrlenA 15675->15676 15677 40809e 15676->15677 15678 40ef1e lstrlenA 15677->15678 15679 4080af 15678->15679 15680 407a95 24 API calls 15679->15680 15680->15672 15682 407db7 2 API calls 15681->15682 15683 407eb8 15682->15683 15684 40f04e 4 API calls 15683->15684 15685 407ece DeleteFileA 15684->15685 15685->15191 15687 40dd05 6 API calls 15686->15687 15688 40e31d 15687->15688 15779 40e177 15688->15779 15690 40e326 15690->15151 15692 4031f3 15691->15692 15702 4031ec 15691->15702 15693 40ebcc 4 API calls 15692->15693 15707 4031fc 15693->15707 15694 40344b 15695 403459 15694->15695 15696 40349d 15694->15696 15698 40f04e 4 API calls 15695->15698 15697 40ec2e codecvt 4 API calls 15696->15697 15697->15702 15699 40345f 15698->15699 15700 4030fa 4 API calls 15699->15700 15700->15702 15701 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15701->15707 15702->15191 15703 40344d 15704 40ec2e codecvt 4 API calls 15703->15704 15704->15694 15706 403141 lstrcmpiA 15706->15707 15707->15694 15707->15701 15707->15702 15707->15703 15707->15706 15805 4030fa GetTickCount 15707->15805 15709 4030fa 4 API calls 15708->15709 15710 403c1a 15709->15710 15714 403ce6 15710->15714 15810 403a72 15710->15810 15713 403a72 9 API calls 15717 403c5e 15713->15717 15714->15191 15715 403a72 9 API calls 15715->15717 15716 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15716->15717 15717->15714 15717->15715 15717->15716 15719 403a10 15718->15719 15720 4030fa 4 API calls 15719->15720 15721 403a1a 15720->15721 15721->15191 15723 40dd05 6 API calls 15722->15723 15724 40e7be 15723->15724 15724->15191 15726 40c105 15725->15726 15727 40c07e wsprintfA 15725->15727 15726->15191 15819 40bfce GetTickCount wsprintfA 15727->15819 15729 40c0ef 15820 40bfce GetTickCount wsprintfA 15729->15820 15732 407047 15731->15732 15733 406f88 LookupAccountNameA 15731->15733 15732->15191 15735 407025 15733->15735 15736 406fcb 15733->15736 15737 406edd 5 API calls 15735->15737 15739 406fdb ConvertSidToStringSidA 15736->15739 15738 40702a wsprintfA 15737->15738 15738->15732 15739->15735 15740 406ff1 15739->15740 15741 407013 LocalFree 15740->15741 15741->15735 15743 40dd05 6 API calls 15742->15743 15744 40e85c 15743->15744 15745 40dd84 lstrcmpiA 15744->15745 15746 40e867 15745->15746 15747 40e885 lstrcpyA 15746->15747 15821 4024a5 15746->15821 15824 40dd69 15747->15824 15753 407db7 2 API calls 15752->15753 15754 407de1 15753->15754 15755 40f04e 4 API calls 15754->15755 15758 407e16 15754->15758 15756 407df2 15755->15756 15757 40f04e 4 API calls 15756->15757 15756->15758 15757->15758 15758->15191 15760 40dd84 lstrcmpiA 15759->15760 15761 40c58e 15760->15761 15761->15610 15761->15617 15761->15619 15763 40ca1d 15762->15763 15764 40f33b 15762->15764 15763->15110 15763->15635 15765 40f347 htons socket 15764->15765 15766 40f382 ioctlsocket 15765->15766 15767 40f374 closesocket 15765->15767 15768 40f3aa connect select 15766->15768 15769 40f39d 15766->15769 15767->15763 15768->15763 15771 40f3f2 __WSAFDIsSet 15768->15771 15770 40f39f closesocket 15769->15770 15770->15763 15771->15770 15772 40f403 ioctlsocket 15771->15772 15774 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15772->15774 15774->15763 15776 407dc8 InterlockedExchange 15775->15776 15777 407dc0 Sleep 15776->15777 15778 407dd4 15776->15778 15777->15776 15778->15662 15778->15667 15780 40e184 15779->15780 15781 40e2e4 15780->15781 15782 40e223 15780->15782 15795 40dfe2 15780->15795 15781->15690 15782->15781 15784 40dfe2 8 API calls 15782->15784 15789 40e23c 15784->15789 15785 40e1be 15785->15782 15786 40dbcf 3 API calls 15785->15786 15788 40e1d6 15786->15788 15787 40e21a CloseHandle 15787->15782 15788->15782 15788->15787 15790 40e1f9 WriteFile 15788->15790 15789->15781 15799 40e095 RegCreateKeyExA 15789->15799 15790->15787 15792 40e213 15790->15792 15792->15787 15793 40e2a3 15793->15781 15794 40e095 4 API calls 15793->15794 15794->15781 15796 40dffc 15795->15796 15798 40e024 15795->15798 15797 40db2e 8 API calls 15796->15797 15796->15798 15797->15798 15798->15785 15800 40e172 15799->15800 15801 40e0c0 15799->15801 15800->15793 15803 40e115 RegSetValueExA 15801->15803 15804 40e13d 15801->15804 15802 40e14e RegDeleteValueA RegCloseKey 15802->15800 15803->15801 15803->15804 15804->15802 15806 403122 InterlockedExchange 15805->15806 15807 40312e 15806->15807 15808 40310f GetTickCount 15806->15808 15807->15707 15808->15807 15809 40311a Sleep 15808->15809 15809->15806 15811 40f04e 4 API calls 15810->15811 15818 403a83 15811->15818 15812 403bc0 15813 403be6 15812->15813 15814 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15812->15814 15815 40ec2e codecvt 4 API calls 15813->15815 15814->15812 15817 403ac1 15815->15817 15816 403b66 lstrlenA 15816->15817 15816->15818 15817->15713 15817->15714 15818->15812 15818->15816 15818->15817 15819->15729 15820->15726 15822 402419 4 API calls 15821->15822 15823 4024b6 15822->15823 15823->15747 15825 40dd79 lstrlenA 15824->15825 15825->15191 15827 404084 15826->15827 15828 40407d 15826->15828 15829 403ecd 6 API calls 15827->15829 15830 40408f 15829->15830 15831 404000 3 API calls 15830->15831 15833 404095 15831->15833 15832 404130 15834 403ecd 6 API calls 15832->15834 15833->15832 15836 403f18 4 API calls 15833->15836 15835 404159 CreateNamedPipeA 15834->15835 15837 404167 Sleep 15835->15837 15838 404188 ConnectNamedPipe 15835->15838 15840 4040da 15836->15840 15837->15832 15839 404176 CloseHandle 15837->15839 15841 404195 GetLastError 15838->15841 15852 4041ab 15838->15852 15839->15838 15842 403f8c 4 API calls 15840->15842 15843 40425e DisconnectNamedPipe 15841->15843 15841->15852 15844 4040ec 15842->15844 15843->15838 15845 4040f3 15844->15845 15846 404127 CloseHandle 15844->15846 15845->15846 15847 404101 15845->15847 15846->15832 15849 403f18 4 API calls 15847->15849 15848 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15848->15852 15850 40411c ExitProcess 15849->15850 15851 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15851->15852 15852->15838 15852->15843 15852->15848 15852->15851 15853 40426a CloseHandle CloseHandle 15852->15853 15854 40e318 23 API calls 15853->15854 15855 40427b 15854->15855 15855->15855 15857 408791 15856->15857 15858 40879f 15856->15858 15859 40f04e 4 API calls 15857->15859 15860 4087bc 15858->15860 15862 40f04e 4 API calls 15858->15862 15859->15858 15861 40e819 11 API calls 15860->15861 15863 4087d7 15861->15863 15862->15860 15875 408803 15863->15875 15877 4026b2 gethostbyaddr 15863->15877 15865 4087eb 15867 40e8a1 30 API calls 15865->15867 15865->15875 15867->15875 15870 40e819 11 API calls 15870->15875 15871 4088a0 Sleep 15871->15875 15873 4026b2 2 API calls 15873->15875 15874 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15874->15875 15875->15870 15875->15871 15875->15873 15875->15874 15876 40e8a1 30 API calls 15875->15876 15882 40c4d6 15875->15882 15885 40c4e2 15875->15885 15888 402011 15875->15888 15923 408328 15875->15923 15876->15875 15878 4026fb 15877->15878 15879 4026cd 15877->15879 15878->15865 15880 4026e1 inet_ntoa 15879->15880 15881 4026de 15879->15881 15880->15881 15881->15865 15975 40c2dc 15882->15975 15886 40c2dc 141 API calls 15885->15886 15887 40c4ec 15886->15887 15887->15875 15889 402020 15888->15889 15890 40202e 15888->15890 15891 40f04e 4 API calls 15889->15891 15892 40204b 15890->15892 15893 40f04e 4 API calls 15890->15893 15891->15890 15894 40206e GetTickCount 15892->15894 15895 40f04e 4 API calls 15892->15895 15893->15892 15896 4020db GetTickCount 15894->15896 15904 402090 15894->15904 15898 402068 15895->15898 15897 402132 GetTickCount GetTickCount 15896->15897 15908 4020e7 15896->15908 15900 40f04e 4 API calls 15897->15900 15898->15894 15899 4020d4 GetTickCount 15899->15896 15903 402159 15900->15903 15901 40212b GetTickCount 15901->15897 15902 402684 2 API calls 15902->15904 15907 40e854 13 API calls 15903->15907 15922 4021b4 15903->15922 15904->15899 15904->15902 15911 4020ce 15904->15911 16310 401978 15904->16310 15906 40f04e 4 API calls 15910 4021d1 15906->15910 15912 40218e 15907->15912 15908->15901 15913 401978 15 API calls 15908->15913 15914 402125 15908->15914 16315 402ef8 15908->16315 15916 40ea84 30 API calls 15910->15916 15921 4021f2 15910->15921 15911->15899 15915 40e819 11 API calls 15912->15915 15913->15908 15914->15901 15918 40219c 15915->15918 15917 4021ec 15916->15917 15919 40f04e 4 API calls 15917->15919 15918->15922 16323 401c5f 15918->16323 15919->15921 15921->15875 15922->15906 15924 407dd6 6 API calls 15923->15924 15925 40833c 15924->15925 15926 408340 15925->15926 15927 406ec3 2 API calls 15925->15927 15926->15875 15928 40834f 15927->15928 15929 40835c 15928->15929 15933 40846b 15928->15933 15930 4073ff 17 API calls 15929->15930 15931 408373 15930->15931 15931->15926 15954 4083ea RegOpenKeyExA 15931->15954 15960 408450 15931->15960 15932 40675c 21 API calls 15939 4085df 15932->15939 15935 4084a7 RegOpenKeyExA 15933->15935 15933->15960 15934 408626 GetTempPathA 15966 408638 15934->15966 15937 4084c0 RegQueryValueExA 15935->15937 15944 40852f 15935->15944 15940 408521 RegCloseKey 15937->15940 15941 4084dd 15937->15941 15938 4086ad 15942 408762 15938->15942 15943 407e2f 6 API calls 15938->15943 15939->15934 15939->15942 15939->15966 15940->15944 15941->15940 15949 40ebcc 4 API calls 15941->15949 15942->15926 15948 40ec2e codecvt 4 API calls 15942->15948 15953 4086bb 15943->15953 15945 408564 RegOpenKeyExA 15944->15945 15952 4085a5 15944->15952 15946 408573 RegSetValueExA RegCloseKey 15945->15946 15945->15952 15946->15952 15947 40875b DeleteFileA 15947->15942 15948->15926 15951 4084f0 15949->15951 15951->15940 15955 4084f8 RegQueryValueExA 15951->15955 15957 40ec2e codecvt 4 API calls 15952->15957 15952->15960 15953->15947 15961 4086e0 lstrcpyA lstrlenA 15953->15961 15958 4083fd RegQueryValueExA 15954->15958 15954->15960 15955->15940 15956 408515 15955->15956 15959 40ec2e codecvt 4 API calls 15956->15959 15957->15960 15962 40842d RegSetValueExA 15958->15962 15963 40841e 15958->15963 15964 40851d 15959->15964 15960->15932 15960->15939 15965 407fcf 64 API calls 15961->15965 15967 408447 RegCloseKey 15962->15967 15963->15962 15963->15967 15964->15940 15968 408719 CreateProcessA 15965->15968 16395 406ba7 IsBadCodePtr 15966->16395 15967->15960 15969 40873d CloseHandle CloseHandle 15968->15969 15970 40874f 15968->15970 15969->15942 15971 407ee6 64 API calls 15970->15971 15972 408754 15971->15972 15973 407ead 6 API calls 15972->15973 15974 40875a 15973->15974 15974->15947 15991 40a4c7 GetTickCount 15975->15991 15978 40c300 GetTickCount 15980 40c337 15978->15980 15979 40c326 15979->15980 15981 40c32b GetTickCount 15979->15981 15984 40c363 GetTickCount 15980->15984 15990 40c45e 15980->15990 15981->15980 15982 40c4d2 15982->15875 15983 40c4ab InterlockedIncrement CreateThread 15983->15982 15985 40c4cb CloseHandle 15983->15985 15996 40b535 15983->15996 15986 40c373 15984->15986 15984->15990 15985->15982 15987 40c378 GetTickCount 15986->15987 15988 40c37f 15986->15988 15987->15988 15989 40c43b GetTickCount 15988->15989 15989->15990 15990->15982 15990->15983 15992 40a4f7 InterlockedExchange 15991->15992 15993 40a500 15992->15993 15994 40a4e4 GetTickCount 15992->15994 15993->15978 15993->15979 15993->15990 15994->15993 15995 40a4ef Sleep 15994->15995 15995->15992 15997 40b566 15996->15997 15998 40ebcc 4 API calls 15997->15998 15999 40b587 15998->15999 16000 40ebcc 4 API calls 15999->16000 16050 40b590 16000->16050 16001 40bdcd InterlockedDecrement 16002 40bde2 16001->16002 16004 40ec2e codecvt 4 API calls 16002->16004 16005 40bdea 16004->16005 16007 40ec2e codecvt 4 API calls 16005->16007 16006 40bdb7 Sleep 16006->16050 16008 40bdf2 16007->16008 16009 40be05 16008->16009 16011 40ec2e codecvt 4 API calls 16008->16011 16010 40bdcc 16010->16001 16011->16009 16012 40ebed 8 API calls 16012->16050 16015 40b6b6 lstrlenA 16015->16050 16016 4030b5 2 API calls 16016->16050 16017 40b6ed lstrcpyA 16071 405ce1 16017->16071 16018 40e819 11 API calls 16018->16050 16021 40b731 lstrlenA 16021->16050 16022 40b71f lstrcmpA 16022->16021 16022->16050 16023 40b772 GetTickCount 16023->16050 16024 40bd49 InterlockedIncrement 16168 40a628 16024->16168 16027 40b7ce InterlockedIncrement 16081 40acd7 16027->16081 16028 40bc5b InterlockedIncrement 16028->16050 16031 40b912 GetTickCount 16031->16050 16032 40b826 InterlockedIncrement 16032->16023 16033 40b932 GetTickCount 16035 40bc6d InterlockedIncrement 16033->16035 16033->16050 16034 40bcdc closesocket 16034->16050 16035->16050 16036 405ce1 22 API calls 16036->16050 16037 4038f0 6 API calls 16037->16050 16040 40a7c1 22 API calls 16040->16050 16041 40bba6 InterlockedIncrement 16041->16050 16044 40bc4c closesocket 16044->16050 16045 40ab81 lstrcpynA InterlockedIncrement 16045->16050 16047 40ba71 wsprintfA 16102 40a7c1 16047->16102 16049 40ef1e lstrlenA 16049->16050 16050->16001 16050->16006 16050->16010 16050->16012 16050->16015 16050->16016 16050->16017 16050->16018 16050->16021 16050->16022 16050->16023 16050->16024 16050->16027 16050->16028 16050->16031 16050->16032 16050->16033 16050->16034 16050->16036 16050->16037 16050->16040 16050->16041 16050->16044 16050->16045 16050->16047 16050->16049 16051 405ded 12 API calls 16050->16051 16053 403e10 16050->16053 16056 403e4f 16050->16056 16059 40384f 16050->16059 16079 40a7a3 inet_ntoa 16050->16079 16086 40abee 16050->16086 16098 401feb GetTickCount 16050->16098 16099 40a688 16050->16099 16122 403cfb 16050->16122 16125 40b3c5 16050->16125 16156 40ab81 16050->16156 16051->16050 16054 4030fa 4 API calls 16053->16054 16055 403e1d 16054->16055 16055->16050 16057 4030fa 4 API calls 16056->16057 16058 403e5c 16057->16058 16058->16050 16060 4030fa 4 API calls 16059->16060 16062 403863 16060->16062 16061 4038b2 16061->16050 16062->16061 16063 4038b9 16062->16063 16064 403889 16062->16064 16177 4035f9 16063->16177 16171 403718 16064->16171 16069 403718 6 API calls 16069->16061 16070 4035f9 6 API calls 16070->16061 16072 405cf4 16071->16072 16073 405cec 16071->16073 16075 404bd1 4 API calls 16072->16075 16183 404bd1 GetTickCount 16073->16183 16076 405d02 16075->16076 16188 405472 16076->16188 16080 40a7b9 16079->16080 16080->16050 16082 40f315 14 API calls 16081->16082 16083 40aceb 16082->16083 16084 40f315 14 API calls 16083->16084 16085 40acff 16083->16085 16084->16085 16085->16050 16087 40abfb 16086->16087 16090 40ac65 16087->16090 16251 402f22 16087->16251 16089 40f315 14 API calls 16089->16090 16090->16089 16091 40ac8a 16090->16091 16092 40ac6f 16090->16092 16091->16050 16094 40ab81 2 API calls 16092->16094 16093 40ac23 16093->16090 16095 402684 2 API calls 16093->16095 16096 40ac81 16094->16096 16095->16093 16259 4038f0 16096->16259 16098->16050 16273 40a63d 16099->16273 16101 40a696 16101->16050 16103 40a87d lstrlenA send 16102->16103 16104 40a7df 16102->16104 16105 40a899 16103->16105 16106 40a8bf 16103->16106 16104->16103 16111 40a7fa wsprintfA 16104->16111 16113 40a80a 16104->16113 16114 40a8f2 16104->16114 16108 40a8a5 wsprintfA 16105->16108 16121 40a89e 16105->16121 16109 40a8c4 send 16106->16109 16106->16114 16107 40a978 recv 16107->16114 16115 40a982 16107->16115 16108->16121 16110 40a8d8 wsprintfA 16109->16110 16109->16114 16110->16121 16111->16113 16112 40a9b0 wsprintfA 16112->16121 16113->16103 16114->16107 16114->16112 16114->16115 16116 4030b5 2 API calls 16115->16116 16115->16121 16117 40ab05 16116->16117 16118 40e819 11 API calls 16117->16118 16119 40ab17 16118->16119 16120 40a7a3 inet_ntoa 16119->16120 16120->16121 16121->16050 16123 4030fa 4 API calls 16122->16123 16124 403d0b 16123->16124 16124->16050 16126 405ce1 22 API calls 16125->16126 16127 40b3e6 16126->16127 16128 405ce1 22 API calls 16127->16128 16130 40b404 16128->16130 16129 40b440 16131 40ef7c 3 API calls 16129->16131 16130->16129 16132 40ef7c 3 API calls 16130->16132 16133 40b458 wsprintfA 16131->16133 16134 40b42b 16132->16134 16135 40ef7c 3 API calls 16133->16135 16136 40ef7c 3 API calls 16134->16136 16137 40b480 16135->16137 16136->16129 16138 40ef7c 3 API calls 16137->16138 16139 40b493 16138->16139 16140 40ef7c 3 API calls 16139->16140 16141 40b4bb 16140->16141 16278 40ad89 GetLocalTime SystemTimeToFileTime 16141->16278 16145 40b4cc 16146 40ef7c 3 API calls 16145->16146 16147 40b4dd 16146->16147 16148 40b211 7 API calls 16147->16148 16149 40b4ec 16148->16149 16150 40ef7c 3 API calls 16149->16150 16151 40b4fd 16150->16151 16152 40b211 7 API calls 16151->16152 16153 40b509 16152->16153 16154 40ef7c 3 API calls 16153->16154 16155 40b51a 16154->16155 16155->16050 16157 40abe9 GetTickCount 16156->16157 16159 40ab8c 16156->16159 16161 40a51d 16157->16161 16158 40aba8 lstrcpynA 16158->16159 16159->16157 16159->16158 16160 40abe1 InterlockedIncrement 16159->16160 16160->16159 16162 40a4c7 4 API calls 16161->16162 16163 40a52c 16162->16163 16164 40a542 GetTickCount 16163->16164 16166 40a539 GetTickCount 16163->16166 16164->16166 16167 40a56c 16166->16167 16167->16050 16169 40a4c7 4 API calls 16168->16169 16170 40a633 16169->16170 16170->16050 16172 40f04e 4 API calls 16171->16172 16174 40372a 16172->16174 16173 403847 16173->16061 16173->16069 16174->16173 16175 4037b3 GetCurrentThreadId 16174->16175 16175->16174 16176 4037c8 GetCurrentThreadId 16175->16176 16176->16174 16178 40f04e 4 API calls 16177->16178 16179 40360c 16178->16179 16180 4036da GetCurrentThreadId 16179->16180 16181 4036f1 16179->16181 16180->16181 16182 4036e5 GetCurrentThreadId 16180->16182 16181->16061 16181->16070 16182->16181 16184 404bff InterlockedExchange 16183->16184 16185 404c08 16184->16185 16186 404bec GetTickCount 16184->16186 16185->16072 16186->16185 16187 404bf7 Sleep 16186->16187 16187->16184 16207 404763 16188->16207 16190 405b58 16217 404699 16190->16217 16193 404763 lstrlenA 16194 405b6e 16193->16194 16238 404f9f 16194->16238 16196 405b79 16196->16050 16197 40548a 16197->16190 16200 405472 13 API calls 16197->16200 16202 40558d lstrcpynA 16197->16202 16203 405a9f lstrcpyA 16197->16203 16204 405935 lstrcpynA 16197->16204 16205 4058e7 lstrcpyA 16197->16205 16206 404ae6 8 API calls 16197->16206 16211 404ae6 16197->16211 16215 40ef7c lstrlenA lstrlenA lstrlenA 16197->16215 16199 405549 lstrlenA 16199->16197 16200->16197 16202->16197 16203->16197 16204->16197 16205->16197 16206->16197 16209 40477a 16207->16209 16208 404859 16208->16197 16209->16208 16210 40480d lstrlenA 16209->16210 16210->16209 16212 404af3 16211->16212 16214 404b03 16211->16214 16213 40ebed 8 API calls 16212->16213 16213->16214 16214->16199 16216 40efb4 16215->16216 16216->16197 16243 4045b3 16217->16243 16220 4045b3 7 API calls 16221 4046c6 16220->16221 16222 4045b3 7 API calls 16221->16222 16223 4046d8 16222->16223 16224 4045b3 7 API calls 16223->16224 16225 4046ea 16224->16225 16226 4045b3 7 API calls 16225->16226 16227 4046ff 16226->16227 16228 4045b3 7 API calls 16227->16228 16229 404711 16228->16229 16230 4045b3 7 API calls 16229->16230 16231 404723 16230->16231 16232 40ef7c 3 API calls 16231->16232 16233 404735 16232->16233 16234 40ef7c 3 API calls 16233->16234 16235 40474a 16234->16235 16236 40ef7c 3 API calls 16235->16236 16237 40475c 16236->16237 16237->16193 16239 404fac 16238->16239 16241 404fb0 16238->16241 16239->16196 16240 404ffd 16240->16196 16241->16240 16242 404fd5 IsBadCodePtr 16241->16242 16242->16241 16244 4045c1 16243->16244 16245 4045c8 16243->16245 16246 40ebcc 4 API calls 16244->16246 16247 40ebcc 4 API calls 16245->16247 16249 4045e1 16245->16249 16246->16245 16247->16249 16248 404691 16248->16220 16249->16248 16250 40ef7c 3 API calls 16249->16250 16250->16249 16266 402d21 GetModuleHandleA 16251->16266 16254 402fcf GetProcessHeap HeapFree 16258 402f44 16254->16258 16255 402f4f 16257 402f6b GetProcessHeap HeapFree 16255->16257 16256 402f85 16256->16254 16256->16256 16257->16258 16258->16093 16260 403900 16259->16260 16265 403980 16259->16265 16261 4030fa 4 API calls 16260->16261 16263 40390a 16261->16263 16262 40391b GetCurrentThreadId 16262->16263 16263->16262 16264 403939 GetCurrentThreadId 16263->16264 16263->16265 16264->16263 16265->16091 16267 402d46 LoadLibraryA 16266->16267 16268 402d5b GetProcAddress 16266->16268 16267->16268 16270 402d54 16267->16270 16268->16270 16271 402d6b 16268->16271 16269 402d97 GetProcessHeap HeapAlloc 16269->16270 16269->16271 16270->16255 16270->16256 16270->16258 16271->16269 16271->16270 16272 402db5 lstrcpynA 16271->16272 16272->16271 16274 40a645 16273->16274 16275 40a64d 16273->16275 16274->16101 16276 40a66e 16275->16276 16277 40a65e GetTickCount 16275->16277 16276->16101 16277->16276 16279 40adbf 16278->16279 16303 40ad08 gethostname 16279->16303 16282 4030b5 2 API calls 16283 40add3 16282->16283 16284 40a7a3 inet_ntoa 16283->16284 16286 40ade4 16283->16286 16284->16286 16285 40ae85 wsprintfA 16287 40ef7c 3 API calls 16285->16287 16286->16285 16288 40ae36 wsprintfA wsprintfA 16286->16288 16289 40aebb 16287->16289 16290 40ef7c 3 API calls 16288->16290 16291 40ef7c 3 API calls 16289->16291 16290->16286 16292 40aed2 16291->16292 16293 40b211 16292->16293 16294 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16293->16294 16295 40b2af GetLocalTime 16293->16295 16296 40b2d2 16294->16296 16295->16296 16297 40b2d9 SystemTimeToFileTime 16296->16297 16298 40b31c GetTimeZoneInformation 16296->16298 16299 40b2ec 16297->16299 16300 40b33a wsprintfA 16298->16300 16301 40b312 FileTimeToSystemTime 16299->16301 16300->16145 16301->16298 16304 40ad71 16303->16304 16309 40ad26 lstrlenA 16303->16309 16306 40ad85 16304->16306 16307 40ad79 lstrcpyA 16304->16307 16306->16282 16307->16306 16308 40ad68 lstrlenA 16308->16304 16309->16304 16309->16308 16311 40f428 14 API calls 16310->16311 16312 40198a 16311->16312 16313 401990 closesocket 16312->16313 16314 401998 16312->16314 16313->16314 16314->15904 16316 402d21 6 API calls 16315->16316 16317 402f01 16316->16317 16321 402f0f 16317->16321 16331 402df2 GetModuleHandleA 16317->16331 16318 402684 2 API calls 16320 402f1d 16318->16320 16320->15908 16321->16318 16322 402f1f 16321->16322 16322->15908 16324 401c80 16323->16324 16325 401cc2 wsprintfA 16324->16325 16326 401d1c 16324->16326 16330 401d79 16324->16330 16327 402684 2 API calls 16325->16327 16326->16326 16328 401d47 wsprintfA 16326->16328 16327->16324 16329 402684 2 API calls 16328->16329 16329->16330 16330->15922 16332 402e10 LoadLibraryA 16331->16332 16333 402e0b 16331->16333 16334 402e17 16332->16334 16333->16332 16333->16334 16335 402ef1 16334->16335 16336 402e28 GetProcAddress 16334->16336 16335->16321 16336->16335 16337 402e3e GetProcessHeap HeapAlloc 16336->16337 16339 402e62 16337->16339 16338 402ede GetProcessHeap HeapFree 16338->16335 16339->16335 16339->16338 16340 402e7f htons inet_addr 16339->16340 16341 402ea5 gethostbyname 16339->16341 16343 402ceb 16339->16343 16340->16339 16340->16341 16341->16339 16344 402cf2 16343->16344 16346 402d1c 16344->16346 16347 402d0e Sleep 16344->16347 16348 402a62 GetProcessHeap HeapAlloc 16344->16348 16346->16339 16347->16344 16347->16346 16349 402a99 socket 16348->16349 16350 402a92 16348->16350 16351 402cd3 GetProcessHeap HeapFree 16349->16351 16352 402ab4 16349->16352 16350->16344 16351->16350 16352->16351 16366 402abd 16352->16366 16353 402adb htons 16368 4026ff 16353->16368 16355 402b04 select 16355->16366 16356 402ca4 16357 402cb3 GetProcessHeap HeapFree closesocket 16356->16357 16357->16350 16358 402b3f recv 16358->16366 16359 402b66 htons 16359->16356 16359->16366 16360 402b87 htons 16360->16356 16360->16366 16363 402bf3 GetProcessHeap HeapAlloc 16363->16366 16364 402c17 htons 16383 402871 16364->16383 16366->16353 16366->16355 16366->16356 16366->16357 16366->16358 16366->16359 16366->16360 16366->16363 16366->16364 16367 402c4d GetProcessHeap HeapFree 16366->16367 16375 402923 16366->16375 16387 402904 16366->16387 16367->16366 16369 402717 16368->16369 16371 40271d 16368->16371 16370 40ebcc 4 API calls 16369->16370 16370->16371 16372 40272b GetTickCount htons 16371->16372 16373 4027cc htons htons sendto 16372->16373 16374 40278a 16372->16374 16373->16366 16374->16373 16376 402944 16375->16376 16378 40293d 16375->16378 16391 402816 htons 16376->16391 16378->16366 16379 402871 htons 16380 402950 16379->16380 16380->16378 16380->16379 16381 4029bd htons htons htons 16380->16381 16381->16378 16382 4029f6 GetProcessHeap HeapAlloc 16381->16382 16382->16378 16382->16380 16384 4028e3 16383->16384 16386 402889 16383->16386 16384->16366 16385 4028c3 htons 16385->16384 16385->16386 16386->16384 16386->16385 16388 402921 16387->16388 16389 402908 16387->16389 16388->16366 16390 402909 GetProcessHeap HeapFree 16389->16390 16390->16388 16390->16390 16392 40286b 16391->16392 16393 402836 16391->16393 16392->16380 16393->16392 16394 40285c htons 16393->16394 16394->16392 16394->16393 16396 406bc0 16395->16396 16397 406bbc 16395->16397 16398 40ebcc 4 API calls 16396->16398 16408 406bd4 16396->16408 16397->15938 16399 406be4 16398->16399 16400 406c07 CreateFileA 16399->16400 16401 406bfc 16399->16401 16399->16408 16403 406c34 WriteFile 16400->16403 16404 406c2a 16400->16404 16402 40ec2e codecvt 4 API calls 16401->16402 16402->16408 16406 406c49 CloseHandle DeleteFileA 16403->16406 16407 406c5a CloseHandle 16403->16407 16405 40ec2e codecvt 4 API calls 16404->16405 16405->16408 16406->16404 16409 40ec2e codecvt 4 API calls 16407->16409 16408->15938 16409->16408 16410 2980005 16415 298092b GetPEB 16410->16415 16412 2980030 16417 298003c 16412->16417 16416 2980972 16415->16416 16416->16412 16418 2980049 16417->16418 16432 2980e0f SetErrorMode SetErrorMode 16418->16432 16423 2980265 16424 29802ce VirtualProtect 16423->16424 16426 298030b 16424->16426 16425 2980439 VirtualFree 16430 29804be 16425->16430 16431 29805f4 LoadLibraryA 16425->16431 16426->16425 16427 29804e3 LoadLibraryA 16427->16430 16429 29808c7 16430->16427 16430->16431 16431->16429 16433 2980223 16432->16433 16434 2980d90 16433->16434 16435 2980dad 16434->16435 16436 2980dbb GetPEB 16435->16436 16437 2980238 VirtualAlloc 16435->16437 16436->16437 16437->16423 14667 2866722 14670 286672c 14667->14670 14671 286673b 14670->14671 14674 2866ecc 14671->14674 14676 2866ee7 14674->14676 14675 2866ef0 CreateToolhelp32Snapshot 14675->14676 14677 2866f0c Module32First 14675->14677 14676->14675 14676->14677 14678 2866f1b 14677->14678 14680 286672b 14677->14680 14681 2866b8b 14678->14681 14682 2866bb6 14681->14682 14683 2866bc7 VirtualAlloc 14682->14683 14684 2866bff 14682->14684 14683->14684
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 408deff44febd3916874fa53db5e5f0dd1b788e316581794cedda39bc3a0aab8
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 408deff44febd3916874fa53db5e5f0dd1b788e316581794cedda39bc3a0aab8
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 532 409502-40952e call 402544 RegQueryValueExA 520->532 533 4094fb-409500 520->533 523 409634-409637 521->523 526 409639-40964a VirtualProtect 523->526 527 40967b-409682 523->527 530 40964c-409662 526->530 531 40966d-409679 526->531 534 409683 call 4091eb 527->534 538 409664-40966b 530->538 539 40962b-40962d 530->539 531->534 548 409530-409537 532->548 549 409539-409565 call 402544 RegQueryValueExA 532->549 540 40957a-40957f 533->540 543 409688-409690 534->543 538->539 545 4096a2-4096a9 539->545 546 409581-409584 540->546 547 40958a-40958d 540->547 550 409692 543->550 551 409698-4096a0 543->551 546->523 546->547 547->527 553 409593-40959a 547->553 554 40956e-409577 RegCloseKey 548->554 549->554 563 409567 549->563 550->551 551->545 557 40961a-40961f 553->557 558 40959c-4095a1 553->558 554->540 561 409625 557->561 558->557 562 4095a3-4095c0 call 40f0e4 558->562 561->539 568 4095c2-4095db call 4018e0 562->568 569 40960c-409618 562->569 563->554 568->545 572 4095e1-4095f9 568->572 569->561 572->545 573 4095ff-409607 572->573 573->545
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 574 40405e-40407b CreateEventA 575 404084-4040a8 call 403ecd call 404000 574->575 576 40407d-404081 574->576 581 404130-40413e call 40ee2a 575->581 582 4040ae-4040be call 40ee2a 575->582 587 40413f-404165 call 403ecd CreateNamedPipeA 581->587 582->581 588 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 582->588 594 404167-404174 Sleep 587->594 595 404188-404193 ConnectNamedPipe 587->595 605 4040f3-4040ff 588->605 606 404127-40412a CloseHandle 588->606 594->587 596 404176-404182 CloseHandle 594->596 598 404195-4041a5 GetLastError 595->598 599 4041ab-4041c0 call 403f8c 595->599 596->595 598->599 601 40425e-404265 DisconnectNamedPipe 598->601 599->595 607 4041c2-4041f2 call 403f18 call 403f8c 599->607 601->595 605->606 608 404101-404121 call 403f18 ExitProcess 605->608 606->581 607->601 615 4041f4-404200 607->615 615->601 616 404202-40420b call 403f8c 615->616 618 404210-404215 616->618 618->601 619 404217-40421b 618->619 619->601 620 40421d-404230 call 403f8c 619->620 620->601 623 404232-404236 620->623 623->595 624 40423c-404251 call 403f18 623->624 627 404253-404259 624->627 628 40426a-404276 CloseHandle * 2 call 40e318 624->628 627->595 630 40427b 628->630 630->630
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 669 406a60-406a89 CreateFileA 670 406b8c-406ba1 GetLastError 669->670 671 406a8f-406ac3 GetDiskFreeSpaceA 669->671 674 406ba3-406ba6 670->674 672 406ac5-406adc call 40eb0e 671->672 673 406b1d-406b34 call 406987 671->673 672->673 681 406ade 672->681 679 406b56-406b63 FindCloseChangeNotification 673->679 680 406b36-406b54 GetLastError CloseHandle 673->680 683 406b65-406b7d GetLastError CloseHandle 679->683 684 406b86-406b8a 679->684 682 406b7f-406b80 DeleteFileA 680->682 685 406ae0-406ae5 681->685 686 406ae7-406afb call 40eca5 681->686 682->684 683->682 684->674 685->686 687 406afd-406aff 685->687 686->673 687->673 689 406b01 687->689 691 406b03-406b08 689->691 692 406b0a-406b17 call 40eca5 689->692 691->673 691->692 692->673
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1251348514-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 873 2866ecc-2866ee5 874 2866ee7-2866ee9 873->874 875 2866ef0-2866efc CreateToolhelp32Snapshot 874->875 876 2866eeb 874->876 877 2866efe-2866f04 875->877 878 2866f0c-2866f19 Module32First 875->878 876->875 877->878 883 2866f06-2866f0a 877->883 879 2866f22-2866f2a 878->879 880 2866f1b-2866f1c call 2866b8b 878->880 884 2866f21 880->884 883->874 883->878 884->879
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02866EF4
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02866F14
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, Offset: 02862000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2862000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 9f2a4635cddba74349cffded1e363938ad31ff4a3ef0ca7e8d91655badf55186
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 7EF0963D5007616FD7203BF9A88DB7E77ECAF49725F100528E646D54C0EB74E8454A61
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 484 40739d-4073a2 481->484 485 40737e-407395 GetFileAttributesExA 481->485 487 4073a4 484->487 488 4073a6-4073a9 484->488 485->484 486 407397 485->486 486->484 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 631 40675c-406778 632 406784-4067a2 CreateFileA 631->632 633 40677a-40677e SetFileAttributesA 631->633 634 4067a4-4067b2 CreateFileA 632->634 635 4067b5-4067b8 632->635 633->632 634->635 636 4067c5-4067c9 635->636 637 4067ba-4067bf SetFileAttributesA 635->637 638 406977-406986 636->638 639 4067cf-4067df GetFileSize 636->639 637->636 640 4067e5-4067e7 639->640 641 40696b 639->641 640->641 642 4067ed-40680b ReadFile 640->642 643 40696e-406971 FindCloseChangeNotification 641->643 642->641 644 406811-406824 SetFilePointer 642->644 643->638 644->641 645 40682a-406842 ReadFile 644->645 645->641 646 406848-406861 SetFilePointer 645->646 646->641 647 406867-406876 646->647 648 4068d5-4068df 647->648 649 406878-40688f ReadFile 647->649 648->643 652 4068e5-4068eb 648->652 650 406891-40689e 649->650 651 4068d2 649->651 655 4068a0-4068b5 650->655 656 4068b7-4068ba 650->656 651->648 653 4068f0-4068fe call 40ebcc 652->653 654 4068ed 652->654 653->641 662 406900-40690b SetFilePointer 653->662 654->653 658 4068bd-4068c3 655->658 656->658 660 4068c5 658->660 661 4068c8-4068ce 658->661 660->661 661->649 663 4068d0 661->663 664 40695a-406969 call 40ec2e 662->664 665 40690d-406920 ReadFile 662->665 663->648 664->643 665->664 666 406922-406958 665->666 666->643
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 695 298003c-2980047 696 2980049 695->696 697 298004c-2980263 call 2980a3f call 2980e0f call 2980d90 VirtualAlloc 695->697 696->697 712 298028b-2980292 697->712 713 2980265-2980289 call 2980a69 697->713 715 29802a1-29802b0 712->715 717 29802ce-29803c2 VirtualProtect call 2980cce call 2980ce7 713->717 715->717 718 29802b2-29802cc 715->718 724 29803d1-29803e0 717->724 718->715 725 2980439-29804b8 VirtualFree 724->725 726 29803e2-2980437 call 2980ce7 724->726 728 29804be-29804cd 725->728 729 29805f4-29805fe 725->729 726->724 731 29804d3-29804dd 728->731 732 298077f-2980789 729->732 733 2980604-298060d 729->733 731->729 737 29804e3-2980505 LoadLibraryA 731->737 735 298078b-29807a3 732->735 736 29807a6-29807b0 732->736 733->732 738 2980613-2980637 733->738 735->736 739 298086e-29808be LoadLibraryA 736->739 740 29807b6-29807cb 736->740 741 2980517-2980520 737->741 742 2980507-2980515 737->742 743 298063e-2980648 738->743 747 29808c7-29808f9 739->747 744 29807d2-29807d5 740->744 745 2980526-2980547 741->745 742->745 743->732 746 298064e-298065a 743->746 748 2980824-2980833 744->748 749 29807d7-29807e0 744->749 750 298054d-2980550 745->750 746->732 751 2980660-298066a 746->751 752 29808fb-2980901 747->752 753 2980902-298091d 747->753 759 2980839-298083c 748->759 754 29807e2 749->754 755 29807e4-2980822 749->755 756 29805e0-29805ef 750->756 757 2980556-298056b 750->757 758 298067a-2980689 751->758 752->753 754->748 755->744 756->731 760 298056d 757->760 761 298056f-298057a 757->761 762 298068f-29806b2 758->762 763 2980750-298077a 758->763 759->739 764 298083e-2980847 759->764 760->756 766 298059b-29805bb 761->766 767 298057c-2980599 761->767 768 29806ef-29806fc 762->768 769 29806b4-29806ed 762->769 763->743 770 2980849 764->770 771 298084b-298086c 764->771 778 29805bd-29805db 766->778 767->778 772 298074b 768->772 773 29806fe-2980748 768->773 769->768 770->739 771->759 772->758 773->772 778->750
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0298024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: d0e53b61273531ab38d23d50d51d9cc8c68263f388c43a8471df4b22a4e75715
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: C8526A75A01229DFDB64DF58C984BACBBB5BF09304F1480D9E94DAB351DB30AA89CF14

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 794 404000-404008 795 40400b-40402a CreateFileA 794->795 796 404057 795->796 797 40402c-404035 GetLastError 795->797 800 404059-40405c 796->800 798 404052 797->798 799 404037-40403a 797->799 802 404054-404056 798->802 799->798 801 40403c-40403f 799->801 800->802 801->800 803 404041-404050 Sleep 801->803 803->795 803->798
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 804 403f8c-403fc0 ReadFile 805 403ff0-403ff3 804->805 806 403fc2-403fcd GetLastError 804->806 807 403ff5-403ff8 805->807 808 403ffa 805->808 806->808 809 403fcf-403fee WaitForSingleObject GetOverlappedResult 806->809 810 403ffc-403fff 807->810 808->810 809->805 809->808
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 811 406987-4069b7 812 4069e0 811->812 813 4069b9-4069be 811->813 815 4069e4-4069fd WriteFile 812->815 813->812 814 4069c0-4069d0 813->814 816 4069d2 814->816 817 4069d5-4069de 814->817 818 406a4d-406a51 815->818 819 4069ff-406a02 815->819 816->817 817->815 820 406a53-406a56 818->820 821 406a59 818->821 819->818 822 406a04-406a08 819->822 820->821 823 406a5b-406a5f 821->823 824 406a0a-406a0d 822->824 825 406a3c-406a3e 822->825 826 406a10-406a2e WriteFile 824->826 825->823 827 406a40-406a4b 826->827 828 406a30-406a33 826->828 827->823 828->827 829 406a35-406a3a 828->829 829->825 829->826
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 831 4091eb-409208 832 409308 831->832 833 40920e-40921c call 40ed03 831->833 835 40930b-40930f 832->835 837 40921e-40922c call 40ed03 833->837 838 40923f-409249 833->838 837->838 844 40922e-409230 837->844 840 409250-409270 call 40ee08 838->840 841 40924b 838->841 847 409272-40927f 840->847 848 4092dd-4092e1 840->848 841->840 846 409233-409238 844->846 846->846 851 40923a-40923c 846->851 852 409281-409285 847->852 853 40929b-40929e 847->853 849 4092e3-4092e5 848->849 850 4092e7-4092e8 848->850 849->850 855 4092ea-4092ef 849->855 850->848 851->838 852->852 854 409287 852->854 856 4092a0 853->856 857 40928e-409293 853->857 854->853 860 4092f1-4092f6 Sleep 855->860 861 4092fc-409302 855->861 862 4092a8-4092ab 856->862 858 409295-409298 857->858 859 409289-40928c 857->859 858->862 863 40929a 858->863 859->857 859->863 860->861 861->832 861->833 864 4092a2-4092a5 862->864 865 4092ad-4092b0 862->865 863->853 866 4092b2 864->866 867 4092a7 864->867 865->866 868 4092bd 865->868 869 4092b5-4092b9 866->869 867->862 870 4092bf-4092db ShellExecuteA 868->870 869->869 872 4092bb 869->872 870->848 871 409310-409324 870->871 871->835 872->870
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 0dc9418032d7fae7e99f7ff6decd2e171138db246ccd5078cf7f6b69033b9994
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 0dc9418032d7fae7e99f7ff6decd2e171138db246ccd5078cf7f6b69033b9994
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 886 2980e0f-2980e24 SetErrorMode * 2 887 2980e2b-2980e2c 886->887 888 2980e26 886->888 888->887
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02980223,?,?), ref: 02980E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02980223,?,?), ref: 02980E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: e98cf138215984ae1e55f3103e4fc895c4da1c76603ef34e550f029b5c5f42b1
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 55D0123214512877D7003A94DC09BCE7B1CDF05B66F048011FB0DDA081C770954046E5
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02866BDC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, Offset: 02862000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2862000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 39e1d1f51ed5c99b67b0903a4cd4e17f264bac884ee95d620cae671ca470a0ed
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 8A113C79A00248EFDB01DF98C989E98BBF5EF08351F158094F9489B361E375EA90DF80
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 58c16bf96f04c64393462683c7350eaf522ff62be46463dd462b2a21f2a14f1c
                                                                                            • Instruction ID: e3e311afffee0f8fdcefab3b6ad12dcdc3eb324b3d868ccf40e5e7320ccd552c
                                                                                            • Opcode Fuzzy Hash: 58c16bf96f04c64393462683c7350eaf522ff62be46463dd462b2a21f2a14f1c
                                                                                            • Instruction Fuzzy Hash: BDB2C471D00209BBEB209FA4DD85FEA7BB9AB08304F14457BF505B22D1D7789A89CB5C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 029865F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02986610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02986631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02986652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 0c763e3340dbe245014b495ac6743b99c0108932068062114b68d1534d053823
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 05117371600258BFDB21AF65DC4AF9B3FACEB457A5F144025FA09EB250D7B1DD00CAA4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 7316c1f4b5cb1443490bb148765e0df43b8208094f0d347aba08efc86f487165
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 7316c1f4b5cb1443490bb148765e0df43b8208094f0d347aba08efc86f487165
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: 488b4022198aa4651f638e99ebaa8a55008006827a595e62bcf7bdb05664b739
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: FC314AB6900609DFDB10DF99C884AAEBBF9FF48324F19404AD841A7310D771EA49CFA4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192202050.0000000002862000.00000040.00000020.00020000.00000000.sdmp, Offset: 02862000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2862000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: 8c90030a31736e2950e3e7a0a61774bf8f6483ba16504c43a59877f9bc7c4a1d
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 1011A07A3401149FD750CE59DC85EA273EEEB88324B198165ED08CB301E679E802CBA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: c176cecf7dc77b31e62276bd5a420531f2e71618bfb76963a37a33887fc5f77e
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: D301A7776116048FDF21DF24C805BAB33E9FF85315F4944A5D906DB242E774A9458B90
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02989E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02989FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02989FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0298A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0298A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0298A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0298A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0298A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0298A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02989F13
                                                                                              • Part of subcall function 02987029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02987081
                                                                                              • Part of subcall function 02986F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\iwmorlyx,02987043), ref: 02986F4E
                                                                                              • Part of subcall function 02986F30: GetProcAddress.KERNEL32(00000000), ref: 02986F55
                                                                                              • Part of subcall function 02986F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02986F7B
                                                                                              • Part of subcall function 02986F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02986F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0298A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0298A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0298A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0298A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0298A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0298A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0298A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0298A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0298A2F4
                                                                                            • wsprintfA.USER32 ref: 0298A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0298A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0298A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0298A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0298A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0298A1D1
                                                                                              • Part of subcall function 02989966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0298999D
                                                                                              • Part of subcall function 02989966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029899BD
                                                                                              • Part of subcall function 02989966: RegCloseKey.ADVAPI32(?), ref: 029899C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0298A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0298A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0298A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: d0369e3d69d4c442e1d11acb2612fd768eda9bbdb98bf8f87f5bf6f884fdd897
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: BDF141B1D40259AFDF21EFA0CC48FEF7BBCAB09304F0844A6E605E2141E7759A858F65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02987D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02987D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02987D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02987DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02987DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02987DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02987DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02987DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02987E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02987E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02987E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02987E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 76d805b6606c0fff8c4fbc6bde1f7db50c91485f730b2a8ae65ae9dddd423eed
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: B6A18B76900219AFDB11EFA1DC88FEEBBBDFB08304F18816AF501E6150D7758A84CB64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02987A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02987ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02987ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02987B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02987B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02987B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02987B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02987B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02987B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02987B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02987B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02987B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02987BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02987BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02987C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02987C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02987CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02987CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02987CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02987CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02987CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 3a8dc46297b4854b18bccf73160a4d53bf114eafac54648786345e5346d527bb
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 73814C76900219AFDB11DFE4DD84FEEBBBCAF08344F18806AE605E7250D7759641CB64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: 96b744c21c97554fe267b79c97f5d976ed6b4de3d9a18d44cb0f3305665f7017
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 96b744c21c97554fe267b79c97f5d976ed6b4de3d9a18d44cb0f3305665f7017
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0298865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0298867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029886A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029886B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 92511189810587cf600e6e47cfbaca23a1183b074b3741ec12841c62e188c598
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: D2C1B1B290024DBEEB11BBA4DD84EEF7BBDFB44304F584065F605E2050E7B18A948B75
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02981601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 029817D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 1ef9c4d308254240fea51449a980586c9f8ebcb2d13c4ce4c598b7de852a2150
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 38F1ADB11083419FD720EF64D888BABB7E9FB88304F04892DF69A97390D7B4D945CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029876D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02987757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0298778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 029878B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0298794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0298796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0298797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029879AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02987A56
                                                                                              • Part of subcall function 0298F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0298772A,?), ref: 0298F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029879F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02987A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 2a5a49a272c00fe15648ff6b7c878870d45123ebbbc9c3f790ba595c972d9ade
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: A0C17176900219AFDB11AFE4DC44FEEBBBDEF49310F2840A5E544E6190EB75DA84CB60
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02982CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02982D07
                                                                                            • htons.WS2_32(00000000), ref: 02982D42
                                                                                            • select.WS2_32 ref: 02982D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02982DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02982E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: a8e11deecb0bfc239dd99d8f6af7af23603db694b16913f413e32f54a9283ead
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: FB61C272904345AFC320AF64DC08B6BBBE8EF88755F084819FD8497151D7B5D880CBA9
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 029895A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029895D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 029895DC
                                                                                            • wsprintfA.USER32 ref: 02989635
                                                                                            • wsprintfA.USER32 ref: 02989673
                                                                                            • wsprintfA.USER32 ref: 029896F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02989758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0298978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029897D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 55f417ee055c5726427645665b82fdcfb159d62d5a64b4ad7319d012e50198f3
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: B5A18EB290024CAFEB21EFA1CC45FEA3BADEB44741F144026FA15E6251E7B5D584CFA4
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02983068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02983078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02983095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 029830B6
                                                                                            • htons.WS2_32(00000035), ref: 029830EF
                                                                                            • inet_addr.WS2_32(?), ref: 029830FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0298310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0298314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 377739c0a55ca553ae163feacfe3064d0a172440425f3881f530d1086cf18c7e
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: D2318431A00606ABDB11AFB8DC48BBE77BCAF05F64F1841A5E518E7290DB74D541CB5C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029867C3
                                                                                            • htonl.WS2_32(?), ref: 029867DF
                                                                                            • htonl.WS2_32(?), ref: 029867EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029868F1
                                                                                            • ExitProcess.KERNEL32 ref: 029869BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: d251992e419296f6b7d4e786a17e704c1e912ed9bcb6dc3f31abddd5cb15c9a3
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 0E616F71A40208AFDB60AFB4DC45FEA77E9FB48300F14806AFA6DD6161EB7599908F14
                                                                                            APIs
                                                                                            • htons.WS2_32(0298CC84), ref: 0298F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0298F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0298F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 1b3e68439ce615247c8620c8ccd9a1323f7dff1738515dbe765d01c4d430a8aa
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 52316C7290011CABDB10EFA5DC88DEE7BBCEF88314F544566F915E3150E7709A818BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02982FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02982FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02982FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02983000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02983007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02983032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 933002573633a8ecf4d76bcd29ba8d85aa9b4b5dd7f46a6d354c5ad01a86f5be
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: F9217F71D01629BBCB22AFA5DC48AEEBBBCEF08B54F044461F905E7540D7B49A81C7E4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\iwmorlyx,02987043), ref: 02986F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02986F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02986F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02986F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\iwmorlyx
                                                                                            • API String ID: 1082366364-4187546015
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: a07ed5fb6391bea80720a34b0bddc522d58fcf759d2c85c1b880f768a0ec9713
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: D12105617413407EF722B7319C88FFB2E4C8B92724F2C40A5F944EA590DBD9C4D686AD
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 029892E2
                                                                                            • wsprintfA.USER32 ref: 02989350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02989375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02989389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02989394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0298939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: a9fb2f660235b968e9414087b592e6ed8836d74a3c5fff0080ddcd193463ff1c
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: B01172B27401147BE7207B32EC0DFEF3A6EDBC8B11F048065BB09E5190EBB54A458B64
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02989A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02989A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02989A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02989A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02989AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02989AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: fbab47a9dd51416c581fb5914389ea0d029135e792af7146e28567566185b578
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: F7213BB1A01219BBEB11ABA1DC09EEF7BBCEF04754F444061FA19E6150E7758A44CBA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02981C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02981C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02981C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02981C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02981CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02981D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02981D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 4690098fae2128c083e2548faeca8738ea4ac6fcc42249b5b9b741292450495a
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 54313C32E00219BFCB11AFA4DC889AEBBB9EF45715B28447AE509E3110D7B54E81DB94
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02986CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02986D22
                                                                                            • GetLastError.KERNEL32 ref: 02986DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02986DB5
                                                                                            • GetLastError.KERNEL32 ref: 02986DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02986DE7
                                                                                            • GetLastError.KERNEL32 ref: 02986DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 4081abbfc7ae9b094a6e1ba3592b5839950e2433f263192f51b4a5a6d7d4d856
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 66310172900249BFCB01EFA4DD48ADE7F7DEF88300F188475E251EB211E7708A958B61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029893C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 029893CD
                                                                                            • CharToOemA.USER32(?,?), ref: 029893DB
                                                                                            • wsprintfA.USER32 ref: 02989410
                                                                                              • Part of subcall function 029892CB: GetTempPathA.KERNEL32(00000400,?), ref: 029892E2
                                                                                              • Part of subcall function 029892CB: wsprintfA.USER32 ref: 02989350
                                                                                              • Part of subcall function 029892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02989375
                                                                                              • Part of subcall function 029892CB: lstrlen.KERNEL32(?,?,00000000), ref: 02989389
                                                                                              • Part of subcall function 029892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02989394
                                                                                              • Part of subcall function 029892CB: CloseHandle.KERNEL32(00000000), ref: 0298939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02989448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 30256395cc4018e1a5e94d1b7216ecbc76a5f9bac2b7a236f44142a376d1eedc
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 59015EF69001587BEB21A7619D89EEF3B7CDBD5701F0040A2BB49E2080EAB497C58F75
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction ID: c3dd1e685f380747dbddc4be5bb4143ff85c5fdf3f65bd2e692e24b6b0271813
                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction Fuzzy Hash: C8712A72A00304AADF21BB54DC85FEE376DAF41709F2C446BFA04E6090EF7699C48B59
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 0298DF6C: GetCurrentThreadId.KERNEL32 ref: 0298DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0298E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02986128), ref: 0298E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0298E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 602936a52ecc37996a72043426164afcfa8994e2ebdde353cb4ba50675fa6209
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 9C319031A007059BDB71AF24C894BA67BE8EF05724F08892AF5D5C7551D3B2E880CB91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 666c8dd7a7291e541be23ff28c7bcf271789c912571b0c2d20a6891a73ab1c1f
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: EF215C73204219BFDB10BBB4FC49EDF3FAEEB49264B188425F502D5092EB70DA509A74
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0298C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0298C74B), ref: 0298C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0298C747), ref: 0298C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0298C747,00413588,02988A77), ref: 0298C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 6137840431f5fe29868402446c5222a8067f2b009abe4df8c3b97f22cb7c08df
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 7F515EB1A01B458FD728AF69C5D462ABBE9FB48304B54593FE18BC7A90D774F444CB20
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: 50e144e5c66517dd62c9eb504a4f9f7b4843c8d6198543f26dab993f1630d953
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 50e144e5c66517dd62c9eb504a4f9f7b4843c8d6198543f26dab993f1630d953
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0298E50A,00000000,00000000,00000000,00020106,00000000,0298E50A,00000000,000000E4), ref: 0298E319
                                                                                            • RegSetValueExA.ADVAPI32(0298E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0298E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0298E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0298E3BF
                                                                                            • RegCloseKey.ADVAPI32(0298E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0298E50A), ref: 0298E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 831010f01960275a4296de05932f9400509810f622c21afe8e5c52a166353136
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: CB212C71A0021DBBDF21AFA5EC89EDE7F79EF48750F048062F944A6160E7718A54DBA0
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 029871E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02987228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02987286
                                                                                            • wsprintfA.USER32 ref: 0298729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 30fd56244da92d7477631100744421950475031b2c882bba81e05cda1fa0f0b7
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: F4312B76900208BFDB01EFA8DC45BDA7BACEF04314F18C066F959DB200EB75D6488B94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0298B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0298B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0298B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0298B590
                                                                                            • wsprintfA.USER32 ref: 0298B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 6b967df997b06531cbb26f0912bdddea5224d35eb5cc7def1ffada00b1c52c5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 57513FB1D0021DAACF14DFD5D8889EEBBB9BF48304F14812AF501A6150E7B84AC9CF98
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02986303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0298632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 029863B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02986405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 5d0d2f520b2352d3ee6786897b6cf1206ad6162d9dff67c5e2e000c1656221a6
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: FE416D71A00209EFDB14EF68D884BADB7BCFF04358F18856AE955DB290D771E940CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                              • Part of subcall function 0298DF6C: GetCurrentThreadId.KERNEL32 ref: 0298DFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0298A6AC), ref: 0298E7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0298A6AC), ref: 0298E7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0298A6AC), ref: 0298E819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: dc169cdafc9007b6bc2bd82d6cfebe9b51cef00d38e0bf85dec23b64b7363165
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: 8221C7F1A403007AF2217B319C45FEB3E5DDFA5B60F180039FA4AB51D3FAA595508AB5
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: e52c754b5c4df7ac7535869be25ad2b94008d4c8a4726cb9c757c49838e9d70c
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: e52c754b5c4df7ac7535869be25ad2b94008d4c8a4726cb9c757c49838e9d70c
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029876D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0298796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0298797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: 90ef466cc792bacb917c8980499745a20db82460a974c0cf8bcabfedc65369f5
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: BF11AC70A00109AFDB12AFA9DC44FEFBF7DEB95714F280561F515E6290E7B18940CB61
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0298999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 029899BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029899C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: 0b474e3b731493ff6d0211421c1be1b362850d63ea232d876f8eafdb44395fda
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: 1DF0F6B2A80208BFF7107B51EC06FDB3A2CDB94B14F100060FA05B5081F6E59A9086B9
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: c32bd2a19c33d57a97dc38e480cb8eff028dd4ac8e1228206779d83c5918f3cf
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: c32bd2a19c33d57a97dc38e480cb8eff028dd4ac8e1228206779d83c5918f3cf
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 6d6c85396817faf5279e98517b6cbf3d5b95e5756b007168bdcaa7e661529523
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9DE01231A045519FDB50AB2CF848AD577E9EF4A230F098595F854D71A0C774DCC19754
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 029869E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02986A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02986A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02986BD8
                                                                                              • Part of subcall function 0298EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02981DCF,?), ref: 0298EEA8
                                                                                              • Part of subcall function 0298EE95: HeapFree.KERNEL32(00000000), ref: 0298EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: a17846267c3fcae400d56cba566f9543919355a09b47e8689b02cba19f610fba
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: AC71277190421DEFDF11EFA4CC81AEEBBBDFB04318F14456AE515AA190D7349E92CB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0298421F
                                                                                            • GetLastError.KERNEL32 ref: 02984229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0298423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0298424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: d488b5e4a4a0c9b787e3b2486ceefc605ce48d5e86c23a2907767e016b870a9f
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: F801C87251510AAFDF01EF90ED84BEF7BACEF08255F148461F901E6050D770DA548BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029841AB
                                                                                            • GetLastError.KERNEL32 ref: 029841B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 029841C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029841D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: a8e847494f6e068b9ae451129513e879f237be2cac5ecc06d76817beda6e861b
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 0601087691110AAFDF01EF90ED84BEF7BACEF28259F008061F901E2050D770DA648BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0298E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 2cc220b576a0dbd45beede438fc29146cb999d17f71132ecb5e5eba1d861611b
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 16F0CD322083069BCB20DF64DC84A82B7ECFB09325B088A2AF599C3060D370E498CB55
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,029844E2,00000000,00000000,00000000), ref: 0298E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0298E484
                                                                                              • Part of subcall function 0298E2FC: RegCreateKeyExA.ADVAPI32(80000001,0298E50A,00000000,00000000,00000000,00020106,00000000,0298E50A,00000000,000000E4), ref: 0298E319
                                                                                              • Part of subcall function 0298E2FC: RegSetValueExA.ADVAPI32(0298E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0298E38E
                                                                                              • Part of subcall function 0298E2FC: RegDeleteValueA.ADVAPI32(0298E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0298E3BF
                                                                                              • Part of subcall function 0298E2FC: RegCloseKey.ADVAPI32(0298E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0298E50A), ref: 0298E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 415fc2d9bad8dc38706f9583b40a52304aac1d0de099cc57e96ab0d85419343d
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: FB41D5B2D00218BAEF207F618C45FEB3B6CEB44764F188025FE4EA4191E7B59650DAB5
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: a7932ee6e11f51e31df66d5708ae860d6aff00331a4d04ea59eecfc3ddd3bc48
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: a7932ee6e11f51e31df66d5708ae860d6aff00331a4d04ea59eecfc3ddd3bc48
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029883C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02988477
                                                                                              • Part of subcall function 029869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029869E5
                                                                                              • Part of subcall function 029869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02986A26
                                                                                              • Part of subcall function 029869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02986A3A
                                                                                              • Part of subcall function 0298EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02981DCF,?), ref: 0298EEA8
                                                                                              • Part of subcall function 0298EE95: HeapFree.KERNEL32(00000000), ref: 0298EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 9ad9c4e5fd1df64fabe3491f165c29dab78c1fd3038fbcc9a8842bdd95eb98c2
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 64417EB290010DBFEB10FBA09D80EFF776DEB44344F5844AAE509E6050EBB05A948B60
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0298E859,00000000,00020119,0298E859,PromptOnSecureDesktop), ref: 0298E64D
                                                                                            • RegCloseKey.ADVAPI32(0298E859,?,?,?,?,000000C8,000000E4), ref: 0298E787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: 52d6793068220e61bcb8b066505d1ea5bc2fcaf32ee8a01acb57c9ccc48a9ecd
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: F441F8B2D0011DBFDF11AFA4DC84DEEBBBDFB48304F184466FA10A6150E3719A559B60
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0298AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0298B00D
                                                                                              • Part of subcall function 0298AF6F: gethostname.WS2_32(?,00000080), ref: 0298AF83
                                                                                              • Part of subcall function 0298AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0298AFE6
                                                                                              • Part of subcall function 0298331C: gethostname.WS2_32(?,00000080), ref: 0298333F
                                                                                              • Part of subcall function 0298331C: gethostbyname.WS2_32(?), ref: 02983349
                                                                                              • Part of subcall function 0298AA0A: inet_ntoa.WS2_32(00000000), ref: 0298AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction ID: da01b893042e1031a44655ea6c604b154c3a4e08879c56aafc1669c5b96c94d8
                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction Fuzzy Hash: 58410E7290024CABDB25EFA0DC45EEE3BADFB48304F184426F929D2151EA75E6548F54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02989536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0298955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 7cde711daba6109626910151c189af90f2e9825d99c8ad6b6ce9fc6eb37aa8c5
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 294107B19083956EFB36BB74D89C7B63BEC9B02314F1C01A5D886973A2D7B44981C711
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0298B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0298BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0298BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0298BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0298BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0298BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0298BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: fb298d3d7822d6fe8175d5a54dd73412313f17ecb979cc6c13e6e7fe08268ca5
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 4E317E72400248DFDF25EFA4DC54BEDB7A9EB44704F284456FA15C2161EB34D685CF54
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 029870BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029870F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 533515cdf3fb7bc1127afcb9317b4cc67b00d9f3984e2ac4898c20a600adfca1
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 69112A76900118EBDB51DBD4DC84AEEB7BCAB04309F2841A6E511E7094D7709B88CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 02982F88: GetModuleHandleA.KERNEL32(?), ref: 02982FA1
                                                                                              • Part of subcall function 02982F88: LoadLibraryA.KERNEL32(?), ref: 02982FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029831DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 029831E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4192342662.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2980000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 904df2328fb53c775301df53d284e81ab38bfe16915510542e3d85f913275646
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 15517B7190024AEFCF01AF64D888AFAB779FF05705F1845A9EC96C7210E732DA19CB94
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.4190916179.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.4190916179.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_AvDJi40xp_9fyz7RPmKdbxb4.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.3%
                                                                                            Dynamic/Decrypted Code Coverage:2%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1538
                                                                                            Total number of Limit Nodes:13
                                                                                            execution_graph 14680 409961 RegisterServiceCtrlHandlerA 14681 40997d 14680->14681 14682 4099cb 14680->14682 14690 409892 14681->14690 14684 40999a 14685 4099ba 14684->14685 14686 409892 SetServiceStatus 14684->14686 14685->14682 14688 409892 SetServiceStatus 14685->14688 14687 4099aa 14686->14687 14687->14685 14693 4098f2 14687->14693 14688->14682 14691 4098c2 SetServiceStatus 14690->14691 14691->14684 14695 4098f6 14693->14695 14696 409904 Sleep 14695->14696 14698 409917 14695->14698 14701 404280 CreateEventA 14695->14701 14696->14695 14697 409915 14696->14697 14697->14698 14700 409947 14698->14700 14728 40977c 14698->14728 14700->14685 14702 4042a5 14701->14702 14707 40429d 14701->14707 14742 403ecd 14702->14742 14704 4042b0 14746 404000 14704->14746 14706 4043c1 CloseHandle 14706->14707 14707->14695 14708 4042b6 14708->14706 14708->14707 14752 403f18 WriteFile 14708->14752 14712 4042fb 14713 404306 14712->14713 14714 4043ba CloseHandle 14712->14714 14713->14714 14715 404318 14713->14715 14714->14706 14716 403f18 4 API calls 14715->14716 14717 404331 14716->14717 14718 403f18 4 API calls 14717->14718 14719 40434a 14718->14719 14760 40ebcc GetProcessHeap HeapAlloc 14719->14760 14722 403f18 4 API calls 14723 404389 14722->14723 14763 40ec2e 14723->14763 14726 403f8c 4 API calls 14727 40439f CloseHandle CloseHandle 14726->14727 14727->14707 14792 40ee2a 14728->14792 14731 4097c2 14733 4097d4 Wow64GetThreadContext 14731->14733 14732 4097bb 14732->14700 14734 409801 14733->14734 14735 4097f5 14733->14735 14794 40637c 14734->14794 14736 4097f6 TerminateProcess 14735->14736 14736->14732 14738 409816 14738->14736 14739 40981e WriteProcessMemory 14738->14739 14739->14735 14740 40983b Wow64SetThreadContext 14739->14740 14740->14735 14741 409858 ResumeThread 14740->14741 14741->14732 14743 403ee2 14742->14743 14744 403edc 14742->14744 14743->14704 14768 406dc2 14744->14768 14747 40400b CreateFileA 14746->14747 14748 404052 14747->14748 14749 40402c GetLastError 14747->14749 14748->14708 14749->14748 14750 404037 14749->14750 14750->14748 14751 404041 Sleep 14750->14751 14751->14747 14751->14748 14753 403f7c 14752->14753 14754 403f4e GetLastError 14752->14754 14756 403f8c ReadFile 14753->14756 14754->14753 14755 403f5b WaitForSingleObject GetOverlappedResult 14754->14755 14755->14753 14757 403fc2 GetLastError 14756->14757 14759 403ff0 14756->14759 14758 403fcf WaitForSingleObject GetOverlappedResult 14757->14758 14757->14759 14758->14759 14759->14712 14786 40eb74 14760->14786 14764 40ec37 14763->14764 14765 40438f 14763->14765 14789 40eba0 14764->14789 14765->14726 14769 406e24 14768->14769 14770 406dd7 14768->14770 14769->14743 14774 406cc9 14770->14774 14772 406ddc 14772->14769 14772->14772 14773 406e02 GetVolumeInformationA 14772->14773 14773->14769 14775 406cdc GetModuleHandleA GetProcAddress 14774->14775 14776 406dbe 14774->14776 14777 406d12 GetSystemDirectoryA 14775->14777 14780 406cfd 14775->14780 14776->14772 14778 406d27 GetWindowsDirectoryA 14777->14778 14779 406d1e 14777->14779 14781 406d42 14778->14781 14779->14778 14783 406d8b 14779->14783 14780->14777 14780->14783 14784 40ef1e lstrlenA 14781->14784 14783->14776 14785 40ef32 14784->14785 14785->14783 14787 40eb7b GetProcessHeap HeapSize 14786->14787 14788 404350 14786->14788 14787->14788 14788->14722 14790 40eba7 GetProcessHeap HeapSize 14789->14790 14791 40ebbf GetProcessHeap HeapFree 14789->14791 14790->14791 14791->14765 14793 409794 CreateProcessA 14792->14793 14793->14731 14793->14732 14795 406386 14794->14795 14796 40638a GetModuleHandleA VirtualAlloc 14794->14796 14795->14738 14797 4063b6 14796->14797 14801 4063f5 14796->14801 14798 4063be VirtualAllocEx 14797->14798 14799 4063d6 14798->14799 14798->14801 14800 4063df WriteProcessMemory 14799->14800 14800->14801 14801->14738 14830 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14947 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14830->14947 14832 409a95 14833 409aa3 GetModuleHandleA GetModuleFileNameA 14832->14833 14838 40a3c7 14832->14838 14847 409ac4 14833->14847 14834 40a41c CreateThread WSAStartup 15058 40e52e 14834->15058 15857 40405e CreateEventA 14834->15857 14836 409afd GetCommandLineA 14845 409b22 14836->14845 14837 40a406 DeleteFileA 14837->14838 14839 40a40d 14837->14839 14838->14834 14838->14837 14838->14839 14842 40a3ed GetLastError 14838->14842 14839->14834 14840 40a445 15077 40eaaf 14840->15077 14842->14839 14843 40a3f8 Sleep 14842->14843 14843->14837 14844 40a44d 15081 401d96 14844->15081 14850 409b47 14845->14850 14851 409c0c 14845->14851 14847->14836 14848 40a457 15129 4080c9 14848->15129 14859 409b96 lstrlenA 14850->14859 14867 409b58 14850->14867 14948 4096aa 14851->14948 14859->14867 14860 409c39 14861 40a167 GetModuleHandleA GetModuleFileNameA 14860->14861 14866 409c4b 14860->14866 14864 409c05 ExitProcess 14861->14864 14865 40a189 14861->14865 14862 40a1d2 14868 40a1e3 GetCommandLineA 14862->14868 14865->14864 14876 40a1b2 GetDriveTypeA 14865->14876 14866->14861 14870 404280 30 API calls 14866->14870 14867->14864 14871 409bd2 14867->14871 14894 40a205 14868->14894 14873 409c5b 14870->14873 14960 40675c 14871->14960 14873->14861 14879 40675c 21 API calls 14873->14879 14876->14864 14878 40a1c5 14876->14878 15050 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14878->15050 14881 409c79 14879->14881 14881->14861 14888 409ca0 GetTempPathA 14881->14888 14889 409e3e 14881->14889 14882 409bff 14882->14864 14884 40a491 14885 40a49f GetTickCount 14884->14885 14886 40a4be Sleep 14884->14886 14893 40a4b7 GetTickCount 14884->14893 15175 40c913 14884->15175 14885->14884 14885->14886 14886->14884 14888->14889 14890 409cba 14888->14890 14897 409e6b GetEnvironmentVariableA 14889->14897 14899 409e04 14889->14899 14998 4099d2 lstrcpyA 14890->14998 14892 40ec2e codecvt 4 API calls 14896 40a15d 14892->14896 14893->14886 14898 40a285 lstrlenA 14894->14898 14907 40a239 14894->14907 14896->14861 14896->14864 14897->14899 14900 409e7d 14897->14900 14898->14907 14899->14892 14901 4099d2 16 API calls 14900->14901 14903 409e9d 14901->14903 14902 406dc2 6 API calls 14904 409d5f 14902->14904 14903->14899 14906 409eb0 lstrcpyA lstrlenA 14903->14906 14910 406cc9 5 API calls 14904->14910 14909 409ef4 14906->14909 14956 406ec3 14907->14956 14908 40a3c2 14911 4098f2 41 API calls 14908->14911 14912 406dc2 6 API calls 14909->14912 14915 409f03 14909->14915 14914 409d72 lstrcpyA lstrcatA lstrcatA 14910->14914 14911->14838 14912->14915 14913 40a39d StartServiceCtrlDispatcherA 14913->14908 14919 409cf6 14914->14919 14916 409f32 RegOpenKeyExA 14915->14916 14918 409f48 RegSetValueExA RegCloseKey 14916->14918 14922 409f70 14916->14922 14917 40a35f 14917->14908 14917->14913 14918->14922 15005 409326 14919->15005 14927 409f9d GetModuleHandleA GetModuleFileNameA 14922->14927 14923 409e0c DeleteFileA 14923->14889 14924 409dde GetFileAttributesExA 14924->14923 14925 409df7 14924->14925 14925->14899 15042 4096ff 14925->15042 14929 409fc2 14927->14929 14930 40a093 14927->14930 14929->14930 14936 409ff1 GetDriveTypeA 14929->14936 14931 40a103 CreateProcessA 14930->14931 14932 40a0a4 wsprintfA 14930->14932 14933 40a13a 14931->14933 14934 40a12a DeleteFileA 14931->14934 15048 402544 14932->15048 14933->14899 14940 4096ff 3 API calls 14933->14940 14934->14933 14936->14930 14938 40a00d 14936->14938 14942 40a02d lstrcatA 14938->14942 14939 40ee2a 14941 40a0ec lstrcatA 14939->14941 14940->14899 14941->14931 14943 40a046 14942->14943 14944 40a052 lstrcatA 14943->14944 14945 40a064 lstrcatA 14943->14945 14944->14945 14945->14930 14946 40a081 lstrcatA 14945->14946 14946->14930 14947->14832 14949 4096b9 14948->14949 15278 4073ff 14949->15278 14951 4096e2 14952 4096e9 14951->14952 14953 4096fa 14951->14953 15298 40704c 14952->15298 14953->14860 14953->14862 14955 4096f7 14955->14953 14957 406ed5 14956->14957 14958 406ecc 14956->14958 14957->14917 15323 406e36 GetUserNameW 14958->15323 14961 406784 CreateFileA 14960->14961 14962 40677a SetFileAttributesA 14960->14962 14963 4067a4 CreateFileA 14961->14963 14964 4067b5 14961->14964 14962->14961 14963->14964 14965 4067c5 14964->14965 14966 4067ba SetFileAttributesA 14964->14966 14967 406977 14965->14967 14968 4067cf GetFileSize 14965->14968 14966->14965 14967->14864 14985 406a60 CreateFileA 14967->14985 14969 4067e5 14968->14969 14983 406922 14968->14983 14971 4067ed ReadFile 14969->14971 14969->14983 14970 40696e CloseHandle 14970->14967 14972 406811 SetFilePointer 14971->14972 14971->14983 14973 40682a ReadFile 14972->14973 14972->14983 14974 406848 SetFilePointer 14973->14974 14973->14983 14975 406867 14974->14975 14974->14983 14976 406878 ReadFile 14975->14976 14980 4068d0 14975->14980 14976->14975 14976->14980 14977 40ebcc 4 API calls 14978 4068f8 14977->14978 14979 406900 SetFilePointer 14978->14979 14978->14983 14981 40695a 14979->14981 14982 40690d ReadFile 14979->14982 14980->14970 14980->14977 14984 40ec2e codecvt 4 API calls 14981->14984 14982->14981 14982->14983 14983->14970 14984->14983 14986 406b8c GetLastError 14985->14986 14987 406a8f GetDiskFreeSpaceA 14985->14987 14988 406b86 14986->14988 14989 406ac5 14987->14989 14997 406ad7 14987->14997 14988->14882 15326 40eb0e 14989->15326 14993 406b56 CloseHandle 14993->14988 14996 406b65 GetLastError CloseHandle 14993->14996 14994 406b36 GetLastError CloseHandle 14995 406b7f DeleteFileA 14994->14995 14995->14988 14996->14995 15330 406987 14997->15330 14999 4099eb 14998->14999 15000 409a2f lstrcatA 14999->15000 15001 40ee2a 15000->15001 15002 409a4b lstrcatA 15001->15002 15003 406a60 13 API calls 15002->15003 15004 409a60 15003->15004 15004->14889 15004->14902 15004->14919 15340 401910 15005->15340 15008 40934a GetModuleHandleA GetModuleFileNameA 15010 40937f 15008->15010 15011 4093a4 15010->15011 15012 4093d9 15010->15012 15013 4093c3 wsprintfA 15011->15013 15014 409401 wsprintfA 15012->15014 15016 409415 15013->15016 15014->15016 15015 4094a0 15342 406edd 15015->15342 15016->15015 15019 406cc9 5 API calls 15016->15019 15018 4094ac 15020 40962f 15018->15020 15023 4094e8 RegOpenKeyExA 15018->15023 15024 409439 15019->15024 15021 409639 VirtualProtect 15020->15021 15022 40966d 15020->15022 15021->15022 15036 4095d6 15021->15036 15362 4091eb 15022->15362 15025 409502 15023->15025 15026 4094fb 15023->15026 15029 40ef1e lstrlenA 15024->15029 15028 40951f RegQueryValueExA 15025->15028 15026->15020 15030 40958a 15026->15030 15031 409530 15028->15031 15032 409539 15028->15032 15033 409462 15029->15033 15030->15022 15034 409593 15030->15034 15035 40956e RegCloseKey 15031->15035 15037 409556 RegQueryValueExA 15032->15037 15038 40947e wsprintfA 15033->15038 15034->15036 15350 40f0e4 15034->15350 15035->15026 15036->14923 15036->14924 15037->15031 15037->15035 15038->15015 15040 4095bb 15040->15036 15357 4018e0 VirtualProtect 15040->15357 15043 402544 15042->15043 15044 40972d RegOpenKeyExA 15043->15044 15045 409740 15044->15045 15046 409765 15044->15046 15047 40974f RegDeleteValueA RegCloseKey 15045->15047 15046->14899 15047->15046 15049 402554 lstrcatA 15048->15049 15049->14939 15051 402544 15050->15051 15052 40919e wsprintfA 15051->15052 15053 4091bb 15052->15053 15379 409064 GetTempPathA 15053->15379 15056 4091d5 ShellExecuteA 15057 4091e7 15056->15057 15057->14882 15386 40dd05 GetTickCount 15058->15386 15060 40e538 15393 40dbcf 15060->15393 15062 40e544 15063 40e555 GetFileSize 15062->15063 15068 40e5b8 15062->15068 15064 40e5b1 CloseHandle 15063->15064 15065 40e566 15063->15065 15064->15068 15403 40db2e 15065->15403 15412 40e3ca RegOpenKeyExA 15068->15412 15069 40e576 ReadFile 15069->15064 15071 40e58d 15069->15071 15407 40e332 15071->15407 15073 40e5f2 15075 40e3ca 19 API calls 15073->15075 15076 40e629 15073->15076 15075->15076 15076->14840 15078 40eabe 15077->15078 15080 40eaba 15077->15080 15079 40dd05 6 API calls 15078->15079 15078->15080 15079->15080 15080->14844 15082 40ee2a 15081->15082 15083 401db4 GetVersionExA 15082->15083 15084 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15083->15084 15086 401e24 15084->15086 15087 401e16 GetCurrentProcess 15084->15087 15465 40e819 15086->15465 15087->15086 15089 401e3d 15090 40e819 11 API calls 15089->15090 15091 401e4e 15090->15091 15092 401e77 15091->15092 15472 40df70 15091->15472 15481 40ea84 15092->15481 15095 401e6c 15097 40df70 12 API calls 15095->15097 15097->15092 15098 40e819 11 API calls 15099 401e93 15098->15099 15485 40199c inet_addr LoadLibraryA 15099->15485 15102 40e819 11 API calls 15103 401eb9 15102->15103 15104 401ed8 15103->15104 15105 40f04e 4 API calls 15103->15105 15106 40e819 11 API calls 15104->15106 15107 401ec9 15105->15107 15108 401eee 15106->15108 15109 40ea84 30 API calls 15107->15109 15116 401f0a 15108->15116 15498 401b71 15108->15498 15109->15104 15110 40e819 11 API calls 15113 401f23 15110->15113 15112 401efd 15114 40ea84 30 API calls 15112->15114 15115 401f3f 15113->15115 15502 401bdf 15113->15502 15114->15116 15118 40e819 11 API calls 15115->15118 15116->15110 15120 401f5e 15118->15120 15122 401f77 15120->15122 15124 40ea84 30 API calls 15120->15124 15121 40ea84 30 API calls 15121->15115 15509 4030b5 15122->15509 15124->15122 15126 406ec3 2 API calls 15128 401f8e GetTickCount 15126->15128 15128->14848 15130 406ec3 2 API calls 15129->15130 15131 4080eb 15130->15131 15132 4080f9 15131->15132 15133 4080ef 15131->15133 15135 40704c 16 API calls 15132->15135 15557 407ee6 15133->15557 15137 408110 15135->15137 15136 408269 CreateThread 15154 405e6c 15136->15154 15887 40877e 15136->15887 15139 408156 RegOpenKeyExA 15137->15139 15140 4080f4 15137->15140 15138 40675c 21 API calls 15144 408244 15138->15144 15139->15140 15141 40816d RegQueryValueExA 15139->15141 15140->15136 15140->15138 15142 4081f7 15141->15142 15143 40818d 15141->15143 15145 40820d RegCloseKey 15142->15145 15147 40ec2e codecvt 4 API calls 15142->15147 15143->15142 15148 40ebcc 4 API calls 15143->15148 15144->15136 15146 40ec2e codecvt 4 API calls 15144->15146 15145->15140 15146->15136 15153 4081dd 15147->15153 15149 4081a0 15148->15149 15149->15145 15150 4081aa RegQueryValueExA 15149->15150 15150->15142 15151 4081c4 15150->15151 15152 40ebcc 4 API calls 15151->15152 15152->15153 15153->15145 15625 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15154->15625 15156 405e71 15626 40e654 15156->15626 15158 405ec1 15159 403132 15158->15159 15160 40df70 12 API calls 15159->15160 15161 40313b 15160->15161 15162 40c125 15161->15162 15637 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15162->15637 15164 40c12d 15165 40e654 13 API calls 15164->15165 15166 40c2bd 15165->15166 15167 40e654 13 API calls 15166->15167 15168 40c2c9 15167->15168 15169 40e654 13 API calls 15168->15169 15170 40a47a 15169->15170 15171 408db1 15170->15171 15172 408dbc 15171->15172 15173 40e654 13 API calls 15172->15173 15174 408dec Sleep 15173->15174 15174->14884 15176 40c92f 15175->15176 15177 40c93c 15176->15177 15638 40c517 15176->15638 15179 40ca2b 15177->15179 15180 40e819 11 API calls 15177->15180 15179->14884 15181 40c96a 15180->15181 15182 40e819 11 API calls 15181->15182 15183 40c97d 15182->15183 15184 40e819 11 API calls 15183->15184 15185 40c990 15184->15185 15186 40c9aa 15185->15186 15187 40ebcc 4 API calls 15185->15187 15186->15179 15655 402684 15186->15655 15187->15186 15192 40ca26 15662 40c8aa 15192->15662 15195 40ca44 15196 40ca4b closesocket 15195->15196 15197 40ca83 15195->15197 15196->15192 15198 40ea84 30 API calls 15197->15198 15199 40caac 15198->15199 15200 40f04e 4 API calls 15199->15200 15201 40cab2 15200->15201 15202 40ea84 30 API calls 15201->15202 15203 40caca 15202->15203 15204 40ea84 30 API calls 15203->15204 15205 40cad9 15204->15205 15670 40c65c 15205->15670 15208 40cb60 closesocket 15208->15179 15210 40dad2 closesocket 15211 40e318 23 API calls 15210->15211 15211->15179 15212 40df4c 20 API calls 15271 40cb70 15212->15271 15217 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15217->15271 15219 40e654 13 API calls 15219->15271 15224 40ea84 30 API calls 15224->15271 15225 40d569 closesocket Sleep 15717 40e318 15225->15717 15226 40d815 wsprintfA 15226->15271 15227 40cc1c GetTempPathA 15227->15271 15228 40c517 23 API calls 15228->15271 15230 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15230->15271 15231 40e8a1 30 API calls 15231->15271 15232 40d582 ExitProcess 15233 40cfe3 GetSystemDirectoryA 15233->15271 15234 40cfad GetEnvironmentVariableA 15234->15271 15235 40675c 21 API calls 15235->15271 15236 40d027 GetSystemDirectoryA 15236->15271 15237 40d105 lstrcatA 15237->15271 15238 40ef1e lstrlenA 15238->15271 15239 40cc9f CreateFileA 15241 40ccc6 WriteFile 15239->15241 15239->15271 15240 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15240->15271 15244 40cdcc CloseHandle 15241->15244 15245 40cced CloseHandle 15241->15245 15242 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15242->15271 15243 40d15b CreateFileA 15246 40d182 WriteFile CloseHandle 15243->15246 15243->15271 15244->15271 15251 40cd2f 15245->15251 15246->15271 15247 40cd16 wsprintfA 15247->15251 15248 40d149 SetFileAttributesA 15248->15243 15249 40d36e GetEnvironmentVariableA 15249->15271 15250 40d1bf SetFileAttributesA 15250->15271 15251->15247 15699 407fcf 15251->15699 15252 40d22d GetEnvironmentVariableA 15252->15271 15253 407ead 6 API calls 15253->15271 15255 40d3af lstrcatA 15256 40d3f2 CreateFileA 15255->15256 15255->15271 15259 40d415 WriteFile CloseHandle 15256->15259 15256->15271 15258 407fcf 64 API calls 15258->15271 15259->15271 15260 40cd81 WaitForSingleObject CloseHandle CloseHandle 15262 40f04e 4 API calls 15260->15262 15261 40cda5 15263 407ee6 64 API calls 15261->15263 15262->15261 15266 40cdbd DeleteFileA 15263->15266 15264 40d3e0 SetFileAttributesA 15264->15256 15265 40d26e lstrcatA 15268 40d2b1 CreateFileA 15265->15268 15265->15271 15266->15271 15267 40d4b1 CreateProcessA 15269 40d4e8 CloseHandle CloseHandle 15267->15269 15267->15271 15268->15271 15272 40d2d8 WriteFile CloseHandle 15268->15272 15269->15271 15270 40d452 SetFileAttributesA 15270->15271 15271->15210 15271->15212 15271->15217 15271->15219 15271->15224 15271->15225 15271->15226 15271->15227 15271->15228 15271->15230 15271->15231 15271->15233 15271->15234 15271->15235 15271->15236 15271->15237 15271->15238 15271->15239 15271->15240 15271->15242 15271->15243 15271->15248 15271->15249 15271->15250 15271->15252 15271->15253 15271->15255 15271->15256 15271->15258 15271->15264 15271->15265 15271->15267 15271->15268 15271->15270 15273 407ee6 64 API calls 15271->15273 15274 40d29f SetFileAttributesA 15271->15274 15277 40d31d SetFileAttributesA 15271->15277 15678 40c75d 15271->15678 15690 407e2f 15271->15690 15712 407ead 15271->15712 15722 4031d0 15271->15722 15739 403c09 15271->15739 15749 403a00 15271->15749 15753 40e7b4 15271->15753 15756 40c06c 15271->15756 15762 406f5f GetUserNameA 15271->15762 15773 40e854 15271->15773 15783 407dd6 15271->15783 15272->15271 15273->15271 15274->15268 15277->15271 15279 40741b 15278->15279 15280 406dc2 6 API calls 15279->15280 15281 40743f 15280->15281 15282 407469 RegOpenKeyExA 15281->15282 15284 4077f9 15282->15284 15294 407487 ___ascii_stricmp 15282->15294 15283 407703 RegEnumKeyA 15285 407714 RegCloseKey 15283->15285 15283->15294 15284->14951 15285->15284 15286 40f1a5 lstrlenA 15286->15294 15287 4074d2 RegOpenKeyExA 15287->15294 15288 40772c 15290 407742 RegCloseKey 15288->15290 15291 40774b 15288->15291 15289 407521 RegQueryValueExA 15289->15294 15290->15291 15292 4077ec RegCloseKey 15291->15292 15292->15284 15293 4076e4 RegCloseKey 15293->15294 15294->15283 15294->15286 15294->15287 15294->15288 15294->15289 15294->15293 15296 40777e GetFileAttributesExA 15294->15296 15297 407769 15294->15297 15295 4077e3 RegCloseKey 15295->15292 15296->15297 15297->15295 15299 407073 15298->15299 15300 4070b9 RegOpenKeyExA 15299->15300 15301 4070d0 15300->15301 15315 4071b8 15300->15315 15302 406dc2 6 API calls 15301->15302 15305 4070d5 15302->15305 15303 40719b RegEnumValueA 15304 4071af RegCloseKey 15303->15304 15303->15305 15304->15315 15305->15303 15307 4071d0 15305->15307 15321 40f1a5 lstrlenA 15305->15321 15308 407205 RegCloseKey 15307->15308 15309 407227 15307->15309 15308->15315 15310 4072b8 ___ascii_stricmp 15309->15310 15311 40728e RegCloseKey 15309->15311 15312 4072cd RegCloseKey 15310->15312 15313 4072dd 15310->15313 15311->15315 15312->15315 15314 407311 RegCloseKey 15313->15314 15317 407335 15313->15317 15314->15315 15315->14955 15316 4073d5 RegCloseKey 15318 4073e4 15316->15318 15317->15316 15319 40737e GetFileAttributesExA 15317->15319 15320 407397 15317->15320 15319->15320 15320->15316 15322 40f1c3 15321->15322 15322->15305 15324 406e97 15323->15324 15325 406e5f LookupAccountNameW 15323->15325 15324->14957 15325->15324 15327 40eb17 15326->15327 15329 40eb21 15326->15329 15336 40eae4 15327->15336 15329->14997 15332 4069b9 WriteFile 15330->15332 15333 406a3c 15332->15333 15335 4069ff 15332->15335 15333->14993 15333->14994 15334 406a10 WriteFile 15334->15333 15334->15335 15335->15333 15335->15334 15337 40eb02 GetProcAddress 15336->15337 15338 40eaed LoadLibraryA 15336->15338 15337->15329 15338->15337 15339 40eb01 15338->15339 15339->15329 15341 401924 GetVersionExA 15340->15341 15341->15008 15343 406f55 15342->15343 15344 406eef AllocateAndInitializeSid 15342->15344 15343->15018 15345 406f44 15344->15345 15346 406f1c CheckTokenMembership 15344->15346 15345->15343 15349 406e36 2 API calls 15345->15349 15347 406f3b FreeSid 15346->15347 15348 406f2e 15346->15348 15347->15345 15348->15347 15349->15343 15351 40f0f1 15350->15351 15352 40f0ed 15350->15352 15353 40f119 15351->15353 15354 40f0fa lstrlenA SysAllocStringByteLen 15351->15354 15352->15040 15356 40f11c MultiByteToWideChar 15353->15356 15355 40f117 15354->15355 15354->15356 15355->15040 15356->15355 15358 4018f9 15357->15358 15359 4018fd 15357->15359 15358->15036 15367 401280 15359->15367 15361 401908 15361->15036 15364 40920e 15362->15364 15366 409308 15362->15366 15363 4092f1 Sleep 15363->15364 15364->15363 15364->15364 15365 4092bf ShellExecuteA 15364->15365 15364->15366 15365->15364 15365->15366 15366->15036 15368 4012e1 15367->15368 15369 4016f9 GetLastError 15368->15369 15370 4013a8 15368->15370 15371 401699 15369->15371 15370->15371 15372 401570 lstrlenW 15370->15372 15373 4015be GetStartupInfoW 15370->15373 15374 4015ff CreateProcessWithLogonW 15370->15374 15378 401668 CloseHandle 15370->15378 15371->15361 15372->15370 15373->15370 15375 4016bf GetLastError 15374->15375 15376 40163f WaitForSingleObject 15374->15376 15375->15371 15376->15370 15377 401659 CloseHandle 15376->15377 15377->15370 15378->15370 15380 40908d 15379->15380 15381 4090e2 wsprintfA 15380->15381 15382 40ee2a 15381->15382 15383 4090fd CreateFileA 15382->15383 15384 40911a lstrlenA WriteFile CloseHandle 15383->15384 15385 40913f 15383->15385 15384->15385 15385->15056 15385->15057 15387 40dd41 InterlockedExchange 15386->15387 15388 40dd20 GetCurrentThreadId 15387->15388 15389 40dd4a 15387->15389 15390 40dd53 GetCurrentThreadId 15388->15390 15391 40dd2e GetTickCount 15388->15391 15389->15390 15390->15060 15391->15389 15392 40dd39 Sleep 15391->15392 15392->15387 15394 40dbf0 15393->15394 15426 40db67 GetEnvironmentVariableA 15394->15426 15396 40dcda 15396->15062 15397 40dc19 15397->15396 15398 40db67 3 API calls 15397->15398 15399 40dc5c 15398->15399 15399->15396 15400 40db67 3 API calls 15399->15400 15401 40dc9b 15400->15401 15401->15396 15402 40db67 3 API calls 15401->15402 15402->15396 15404 40db55 15403->15404 15405 40db3a 15403->15405 15404->15064 15404->15069 15430 40ebed 15405->15430 15439 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15407->15439 15409 40e3be 15409->15064 15410 40e342 15410->15409 15442 40de24 15410->15442 15413 40e528 15412->15413 15414 40e3f4 15412->15414 15413->15073 15415 40e434 RegQueryValueExA 15414->15415 15416 40e458 15415->15416 15417 40e51d RegCloseKey 15415->15417 15418 40e46e RegQueryValueExA 15416->15418 15417->15413 15418->15416 15419 40e488 15418->15419 15419->15417 15420 40db2e 8 API calls 15419->15420 15421 40e499 15420->15421 15421->15417 15422 40e4b9 RegQueryValueExA 15421->15422 15423 40e4e8 15421->15423 15422->15421 15422->15423 15423->15417 15424 40e332 14 API calls 15423->15424 15425 40e513 15424->15425 15425->15417 15427 40db89 lstrcpyA CreateFileA 15426->15427 15428 40dbca 15426->15428 15427->15397 15428->15397 15431 40ec01 15430->15431 15432 40ebf6 15430->15432 15434 40eba0 codecvt 2 API calls 15431->15434 15433 40ebcc 4 API calls 15432->15433 15435 40ebfe 15433->15435 15436 40ec0a GetProcessHeap HeapReAlloc 15434->15436 15435->15404 15437 40eb74 2 API calls 15436->15437 15438 40ec28 15437->15438 15438->15404 15453 40eb41 15439->15453 15443 40de3a 15442->15443 15450 40de4e 15443->15450 15457 40dd84 15443->15457 15446 40de9e 15447 40ebed 8 API calls 15446->15447 15446->15450 15451 40def6 15447->15451 15448 40de76 15461 40ddcf 15448->15461 15450->15410 15451->15450 15452 40ddcf lstrcmpA 15451->15452 15452->15450 15454 40eb4a 15453->15454 15456 40eb54 15453->15456 15455 40eae4 2 API calls 15454->15455 15455->15456 15456->15410 15458 40ddc5 15457->15458 15459 40dd96 15457->15459 15458->15446 15458->15448 15459->15458 15460 40ddad lstrcmpiA 15459->15460 15460->15458 15460->15459 15462 40de20 15461->15462 15463 40dddd 15461->15463 15462->15450 15463->15462 15464 40ddfa lstrcmpA 15463->15464 15464->15463 15466 40dd05 6 API calls 15465->15466 15467 40e821 15466->15467 15468 40dd84 lstrcmpiA 15467->15468 15469 40e82c 15468->15469 15470 40e844 15469->15470 15513 402480 15469->15513 15470->15089 15473 40dd05 6 API calls 15472->15473 15474 40df7c 15473->15474 15475 40dd84 lstrcmpiA 15474->15475 15479 40df89 15475->15479 15476 40dfc4 15476->15095 15477 40ddcf lstrcmpA 15477->15479 15478 40ec2e codecvt 4 API calls 15478->15479 15479->15476 15479->15477 15479->15478 15480 40dd84 lstrcmpiA 15479->15480 15480->15479 15482 40ea98 15481->15482 15522 40e8a1 15482->15522 15484 401e84 15484->15098 15486 4019d5 GetProcAddress GetProcAddress GetProcAddress 15485->15486 15487 4019ce 15485->15487 15488 401ab3 FreeLibrary 15486->15488 15489 401a04 15486->15489 15487->15102 15488->15487 15489->15488 15490 401a14 GetProcessHeap 15489->15490 15490->15487 15492 401a2e HeapAlloc 15490->15492 15492->15487 15493 401a42 15492->15493 15494 401a52 HeapReAlloc 15493->15494 15496 401a62 15493->15496 15494->15496 15495 401aa1 FreeLibrary 15495->15487 15496->15495 15497 401a96 HeapFree 15496->15497 15497->15495 15550 401ac3 LoadLibraryA 15498->15550 15501 401bcf 15501->15112 15503 401ac3 12 API calls 15502->15503 15504 401c09 15503->15504 15505 401c41 15504->15505 15506 401c0d GetComputerNameA 15504->15506 15505->15121 15507 401c45 GetVolumeInformationA 15506->15507 15508 401c1f 15506->15508 15507->15505 15508->15505 15508->15507 15510 40ee2a 15509->15510 15511 4030d0 gethostname gethostbyname 15510->15511 15512 401f82 15511->15512 15512->15126 15512->15128 15516 402419 lstrlenA 15513->15516 15515 402491 15515->15470 15517 40243d lstrlenA 15516->15517 15520 402474 15516->15520 15518 402464 lstrlenA 15517->15518 15519 40244e lstrcmpiA 15517->15519 15518->15517 15518->15520 15519->15518 15521 40245c 15519->15521 15520->15515 15521->15518 15521->15520 15523 40dd05 6 API calls 15522->15523 15524 40e8b4 15523->15524 15525 40dd84 lstrcmpiA 15524->15525 15526 40e8c0 15525->15526 15527 40e90a 15526->15527 15528 40e8c8 lstrcpynA 15526->15528 15529 402419 4 API calls 15527->15529 15539 40ea27 15527->15539 15530 40e8f5 15528->15530 15531 40e926 lstrlenA lstrlenA 15529->15531 15543 40df4c 15530->15543 15532 40e96a 15531->15532 15533 40e94c lstrlenA 15531->15533 15537 40ebcc 4 API calls 15532->15537 15532->15539 15533->15532 15535 40e901 15536 40dd84 lstrcmpiA 15535->15536 15536->15527 15538 40e98f 15537->15538 15538->15539 15540 40df4c 20 API calls 15538->15540 15539->15484 15541 40ea1e 15540->15541 15542 40ec2e codecvt 4 API calls 15541->15542 15542->15539 15544 40dd05 6 API calls 15543->15544 15545 40df51 15544->15545 15546 40f04e 4 API calls 15545->15546 15547 40df58 15546->15547 15548 40de24 10 API calls 15547->15548 15549 40df63 15548->15549 15549->15535 15551 401ae2 GetProcAddress 15550->15551 15552 401b68 GetComputerNameA GetVolumeInformationA 15550->15552 15551->15552 15553 401af5 15551->15553 15552->15501 15554 40ebed 8 API calls 15553->15554 15555 401b29 15553->15555 15554->15553 15555->15552 15556 40ec2e codecvt 4 API calls 15555->15556 15556->15552 15558 406ec3 2 API calls 15557->15558 15559 407ef4 15558->15559 15560 4073ff 17 API calls 15559->15560 15569 407fc9 15559->15569 15561 407f16 15560->15561 15561->15569 15570 407809 GetUserNameA 15561->15570 15563 407f63 15564 40ef1e lstrlenA 15563->15564 15563->15569 15565 407fa6 15564->15565 15566 40ef1e lstrlenA 15565->15566 15567 407fb7 15566->15567 15594 407a95 RegOpenKeyExA 15567->15594 15569->15140 15571 40783d LookupAccountNameA 15570->15571 15572 407a8d 15570->15572 15571->15572 15573 407874 GetLengthSid GetFileSecurityA 15571->15573 15572->15563 15573->15572 15574 4078a8 GetSecurityDescriptorOwner 15573->15574 15575 4078c5 EqualSid 15574->15575 15576 40791d GetSecurityDescriptorDacl 15574->15576 15575->15576 15577 4078dc LocalAlloc 15575->15577 15576->15572 15583 407941 15576->15583 15577->15576 15578 4078ef InitializeSecurityDescriptor 15577->15578 15579 407916 LocalFree 15578->15579 15580 4078fb SetSecurityDescriptorOwner 15578->15580 15579->15576 15580->15579 15582 40790b SetFileSecurityA 15580->15582 15581 40795b GetAce 15581->15583 15582->15579 15583->15572 15583->15581 15584 407980 EqualSid 15583->15584 15585 407a3d 15583->15585 15586 4079be EqualSid 15583->15586 15587 40799d DeleteAce 15583->15587 15584->15583 15585->15572 15588 407a43 LocalAlloc 15585->15588 15586->15583 15587->15583 15588->15572 15589 407a56 InitializeSecurityDescriptor 15588->15589 15590 407a62 SetSecurityDescriptorDacl 15589->15590 15591 407a86 LocalFree 15589->15591 15590->15591 15592 407a73 SetFileSecurityA 15590->15592 15591->15572 15592->15591 15593 407a83 15592->15593 15593->15591 15595 407ac4 15594->15595 15596 407acb GetUserNameA 15594->15596 15595->15569 15597 407da7 RegCloseKey 15596->15597 15598 407aed LookupAccountNameA 15596->15598 15597->15595 15598->15597 15599 407b24 RegGetKeySecurity 15598->15599 15599->15597 15600 407b49 GetSecurityDescriptorOwner 15599->15600 15601 407b63 EqualSid 15600->15601 15602 407bb8 GetSecurityDescriptorDacl 15600->15602 15601->15602 15604 407b74 LocalAlloc 15601->15604 15603 407da6 15602->15603 15611 407bdc 15602->15611 15603->15597 15604->15602 15605 407b8a InitializeSecurityDescriptor 15604->15605 15607 407bb1 LocalFree 15605->15607 15608 407b96 SetSecurityDescriptorOwner 15605->15608 15606 407bf8 GetAce 15606->15611 15607->15602 15608->15607 15609 407ba6 RegSetKeySecurity 15608->15609 15609->15607 15610 407c1d EqualSid 15610->15611 15611->15603 15611->15606 15611->15610 15612 407cd9 15611->15612 15613 407c5f EqualSid 15611->15613 15614 407c3a DeleteAce 15611->15614 15612->15603 15615 407d5a LocalAlloc 15612->15615 15616 407cf2 RegOpenKeyExA 15612->15616 15613->15611 15614->15611 15615->15603 15617 407d70 InitializeSecurityDescriptor 15615->15617 15616->15615 15622 407d0f 15616->15622 15618 407d7c SetSecurityDescriptorDacl 15617->15618 15619 407d9f LocalFree 15617->15619 15618->15619 15620 407d8c RegSetKeySecurity 15618->15620 15619->15603 15620->15619 15621 407d9c 15620->15621 15621->15619 15623 407d43 RegSetValueExA 15622->15623 15623->15615 15624 407d54 15623->15624 15624->15615 15625->15156 15627 40dd05 6 API calls 15626->15627 15630 40e65f 15627->15630 15628 40e6a5 15629 40ebcc 4 API calls 15628->15629 15633 40e6f5 15628->15633 15632 40e6b0 15629->15632 15630->15628 15631 40e68c lstrcmpA 15630->15631 15631->15630 15632->15633 15635 40e6b7 15632->15635 15636 40e6e0 lstrcpynA 15632->15636 15634 40e71d lstrcmpA 15633->15634 15633->15635 15634->15633 15635->15158 15636->15633 15637->15164 15639 40c525 15638->15639 15644 40c532 15638->15644 15642 40ec2e codecvt 4 API calls 15639->15642 15639->15644 15640 40c548 15643 40e7ff lstrcmpiA 15640->15643 15649 40c54f 15640->15649 15642->15644 15645 40c615 15643->15645 15644->15640 15790 40e7ff 15644->15790 15646 40ebcc 4 API calls 15645->15646 15645->15649 15646->15649 15647 40c5d1 15651 40ebcc 4 API calls 15647->15651 15649->15177 15650 40e819 11 API calls 15652 40c5b7 15650->15652 15651->15649 15653 40f04e 4 API calls 15652->15653 15654 40c5bf 15653->15654 15654->15640 15654->15647 15656 402692 inet_addr 15655->15656 15657 40268e 15655->15657 15656->15657 15658 40269e gethostbyname 15656->15658 15659 40f428 15657->15659 15658->15657 15793 40f315 15659->15793 15664 40c8d2 15662->15664 15663 40c907 15663->15179 15664->15663 15665 40c517 23 API calls 15664->15665 15665->15663 15666 40f43e 15667 40f473 recv 15666->15667 15668 40f458 15667->15668 15669 40f47c 15667->15669 15668->15667 15668->15669 15669->15195 15671 40c670 15670->15671 15672 40c67d 15670->15672 15673 40ebcc 4 API calls 15671->15673 15674 40ebcc 4 API calls 15672->15674 15676 40c699 15672->15676 15673->15672 15674->15676 15675 40c6f3 15675->15208 15675->15271 15676->15675 15677 40c73c send 15676->15677 15677->15675 15679 40c770 15678->15679 15680 40c77d 15678->15680 15682 40ebcc 4 API calls 15679->15682 15681 40c799 15680->15681 15683 40ebcc 4 API calls 15680->15683 15684 40c7b5 15681->15684 15685 40ebcc 4 API calls 15681->15685 15682->15680 15683->15681 15686 40f43e recv 15684->15686 15685->15684 15687 40c7cb 15686->15687 15688 40f43e recv 15687->15688 15689 40c7d3 15687->15689 15688->15689 15689->15271 15806 407db7 15690->15806 15693 407e96 15693->15271 15694 407e70 15694->15693 15696 40f04e 4 API calls 15694->15696 15695 40f04e 4 API calls 15697 407e4c 15695->15697 15696->15693 15697->15694 15698 40f04e 4 API calls 15697->15698 15698->15694 15700 406ec3 2 API calls 15699->15700 15701 407fdd 15700->15701 15702 4080c2 CreateProcessA 15701->15702 15703 4073ff 17 API calls 15701->15703 15702->15260 15702->15261 15704 407fff 15703->15704 15704->15702 15705 407809 21 API calls 15704->15705 15706 40804d 15705->15706 15706->15702 15707 40ef1e lstrlenA 15706->15707 15708 40809e 15707->15708 15709 40ef1e lstrlenA 15708->15709 15710 4080af 15709->15710 15711 407a95 24 API calls 15710->15711 15711->15702 15713 407db7 2 API calls 15712->15713 15714 407eb8 15713->15714 15715 40f04e 4 API calls 15714->15715 15716 407ece DeleteFileA 15715->15716 15716->15271 15718 40dd05 6 API calls 15717->15718 15719 40e31d 15718->15719 15810 40e177 15719->15810 15721 40e326 15721->15232 15723 4031f3 15722->15723 15733 4031ec 15722->15733 15724 40ebcc 4 API calls 15723->15724 15731 4031fc 15724->15731 15725 403459 15728 40f04e 4 API calls 15725->15728 15726 40349d 15727 40ec2e codecvt 4 API calls 15726->15727 15727->15733 15729 40345f 15728->15729 15730 4030fa 4 API calls 15729->15730 15730->15733 15732 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15731->15732 15731->15733 15734 40344d 15731->15734 15737 40344b 15731->15737 15738 403141 lstrcmpiA 15731->15738 15836 4030fa GetTickCount 15731->15836 15732->15731 15733->15271 15735 40ec2e codecvt 4 API calls 15734->15735 15735->15737 15737->15725 15737->15726 15738->15731 15740 4030fa 4 API calls 15739->15740 15741 403c1a 15740->15741 15742 403ce6 15741->15742 15841 403a72 15741->15841 15742->15271 15745 403a72 9 API calls 15748 403c5e 15745->15748 15746 403a72 9 API calls 15746->15748 15747 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15747->15748 15748->15742 15748->15746 15748->15747 15750 403a10 15749->15750 15751 4030fa 4 API calls 15750->15751 15752 403a1a 15751->15752 15752->15271 15754 40dd05 6 API calls 15753->15754 15755 40e7be 15754->15755 15755->15271 15757 40c07e wsprintfA 15756->15757 15761 40c105 15756->15761 15850 40bfce GetTickCount wsprintfA 15757->15850 15759 40c0ef 15851 40bfce GetTickCount wsprintfA 15759->15851 15761->15271 15763 407047 15762->15763 15764 406f88 LookupAccountNameA 15762->15764 15763->15271 15766 407025 15764->15766 15768 406fcb 15764->15768 15767 406edd 5 API calls 15766->15767 15769 40702a wsprintfA 15767->15769 15770 406fdb ConvertSidToStringSidA 15768->15770 15769->15763 15770->15766 15771 406ff1 15770->15771 15772 407013 LocalFree 15771->15772 15772->15766 15774 40dd05 6 API calls 15773->15774 15775 40e85c 15774->15775 15776 40dd84 lstrcmpiA 15775->15776 15777 40e867 15776->15777 15778 40e885 lstrcpyA 15777->15778 15852 4024a5 15777->15852 15855 40dd69 15778->15855 15784 407db7 2 API calls 15783->15784 15785 407de1 15784->15785 15786 40f04e 4 API calls 15785->15786 15789 407e16 15785->15789 15787 407df2 15786->15787 15788 40f04e 4 API calls 15787->15788 15787->15789 15788->15789 15789->15271 15791 40dd84 lstrcmpiA 15790->15791 15792 40c58e 15791->15792 15792->15640 15792->15647 15792->15650 15794 40ca1d 15793->15794 15795 40f33b 15793->15795 15794->15192 15794->15666 15796 40f347 htons socket 15795->15796 15797 40f382 ioctlsocket 15796->15797 15798 40f374 closesocket 15796->15798 15799 40f3aa connect select 15797->15799 15800 40f39d 15797->15800 15798->15794 15799->15794 15802 40f3f2 __WSAFDIsSet 15799->15802 15801 40f39f closesocket 15800->15801 15801->15794 15802->15801 15803 40f403 ioctlsocket 15802->15803 15805 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15803->15805 15805->15794 15807 407dc8 InterlockedExchange 15806->15807 15808 407dc0 Sleep 15807->15808 15809 407dd4 15807->15809 15808->15807 15809->15694 15809->15695 15811 40e184 15810->15811 15812 40e2e4 15811->15812 15813 40e223 15811->15813 15826 40dfe2 15811->15826 15812->15721 15813->15812 15815 40dfe2 8 API calls 15813->15815 15820 40e23c 15815->15820 15816 40e1be 15816->15813 15817 40dbcf 3 API calls 15816->15817 15819 40e1d6 15817->15819 15818 40e21a CloseHandle 15818->15813 15819->15813 15819->15818 15821 40e1f9 WriteFile 15819->15821 15820->15812 15830 40e095 RegCreateKeyExA 15820->15830 15821->15818 15823 40e213 15821->15823 15823->15818 15824 40e2a3 15824->15812 15825 40e095 4 API calls 15824->15825 15825->15812 15827 40e024 15826->15827 15828 40dffc 15826->15828 15827->15816 15828->15827 15829 40db2e 8 API calls 15828->15829 15829->15827 15831 40e172 15830->15831 15833 40e0c0 15830->15833 15831->15824 15832 40e13d 15834 40e14e RegDeleteValueA RegCloseKey 15832->15834 15833->15832 15835 40e115 RegSetValueExA 15833->15835 15834->15831 15835->15832 15835->15833 15837 403122 InterlockedExchange 15836->15837 15838 40312e 15837->15838 15839 40310f GetTickCount 15837->15839 15838->15731 15839->15838 15840 40311a Sleep 15839->15840 15840->15837 15842 40f04e 4 API calls 15841->15842 15845 403a83 15842->15845 15843 403ac1 15843->15742 15843->15745 15844 403be6 15848 40ec2e codecvt 4 API calls 15844->15848 15845->15843 15847 403bc0 15845->15847 15849 403b66 lstrlenA 15845->15849 15846 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15846->15847 15847->15844 15847->15846 15848->15843 15849->15843 15849->15845 15850->15759 15851->15761 15853 402419 4 API calls 15852->15853 15854 4024b6 15853->15854 15854->15778 15856 40dd79 lstrlenA 15855->15856 15856->15271 15858 404084 15857->15858 15859 40407d 15857->15859 15860 403ecd 6 API calls 15858->15860 15861 40408f 15860->15861 15862 404000 3 API calls 15861->15862 15864 404095 15862->15864 15863 404130 15865 403ecd 6 API calls 15863->15865 15864->15863 15869 403f18 4 API calls 15864->15869 15866 404159 CreateNamedPipeA 15865->15866 15867 404167 Sleep 15866->15867 15868 404188 ConnectNamedPipe 15866->15868 15867->15863 15872 404176 CloseHandle 15867->15872 15871 404195 GetLastError 15868->15871 15883 4041ab 15868->15883 15870 4040da 15869->15870 15873 403f8c 4 API calls 15870->15873 15874 40425e DisconnectNamedPipe 15871->15874 15871->15883 15872->15868 15875 4040ec 15873->15875 15874->15868 15876 4040f3 15875->15876 15877 404127 CloseHandle 15875->15877 15876->15877 15878 404101 15876->15878 15877->15863 15879 403f18 4 API calls 15878->15879 15880 40411c ExitProcess 15879->15880 15881 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15881->15883 15882 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15882->15883 15883->15868 15883->15874 15883->15881 15883->15882 15884 40426a CloseHandle CloseHandle 15883->15884 15885 40e318 23 API calls 15884->15885 15886 40427b 15885->15886 15886->15886 15888 408791 15887->15888 15889 40879f 15887->15889 15890 40f04e 4 API calls 15888->15890 15891 4087bc 15889->15891 15892 40f04e 4 API calls 15889->15892 15890->15889 15893 40e819 11 API calls 15891->15893 15892->15891 15894 4087d7 15893->15894 15906 408803 15894->15906 15908 4026b2 gethostbyaddr 15894->15908 15896 4087eb 15898 40e8a1 30 API calls 15896->15898 15896->15906 15898->15906 15901 40e819 11 API calls 15901->15906 15902 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15902->15906 15903 4088a0 Sleep 15903->15906 15905 4026b2 2 API calls 15905->15906 15906->15901 15906->15902 15906->15903 15906->15905 15907 40e8a1 30 API calls 15906->15907 15913 40c4d6 15906->15913 15916 40c4e2 15906->15916 15919 402011 15906->15919 15954 408328 15906->15954 15907->15906 15909 4026fb 15908->15909 15910 4026cd 15908->15910 15909->15896 15911 4026e1 inet_ntoa 15910->15911 15912 4026de 15910->15912 15911->15912 15912->15896 16006 40c2dc 15913->16006 15917 40c2dc 141 API calls 15916->15917 15918 40c4ec 15917->15918 15918->15906 15920 402020 15919->15920 15921 40202e 15919->15921 15923 40f04e 4 API calls 15920->15923 15922 40204b 15921->15922 15924 40f04e 4 API calls 15921->15924 15925 40206e GetTickCount 15922->15925 15926 40f04e 4 API calls 15922->15926 15923->15921 15924->15922 15927 4020db GetTickCount 15925->15927 15937 402090 15925->15937 15929 402068 15926->15929 15928 402132 GetTickCount GetTickCount 15927->15928 15939 4020e7 15927->15939 15931 40f04e 4 API calls 15928->15931 15929->15925 15930 4020d4 GetTickCount 15930->15927 15933 402159 15931->15933 15932 40212b GetTickCount 15932->15928 15935 4021b4 15933->15935 15938 40e854 13 API calls 15933->15938 15934 402684 2 API calls 15934->15937 15940 40f04e 4 API calls 15935->15940 15937->15930 15937->15934 15942 4020ce 15937->15942 16341 401978 15937->16341 15943 40218e 15938->15943 15939->15932 15947 401978 15 API calls 15939->15947 15948 402125 15939->15948 16346 402ef8 15939->16346 15941 4021d1 15940->15941 15945 4021f2 15941->15945 15949 40ea84 30 API calls 15941->15949 15942->15930 15946 40e819 11 API calls 15943->15946 15945->15906 15950 40219c 15946->15950 15947->15939 15948->15932 15951 4021ec 15949->15951 15950->15935 16354 401c5f 15950->16354 15952 40f04e 4 API calls 15951->15952 15952->15945 15955 407dd6 6 API calls 15954->15955 15956 40833c 15955->15956 15957 408340 15956->15957 15958 406ec3 2 API calls 15956->15958 15957->15906 15959 40834f 15958->15959 15960 40835c 15959->15960 15964 40846b 15959->15964 15961 4073ff 17 API calls 15960->15961 15962 408373 15961->15962 15962->15957 15985 4083ea RegOpenKeyExA 15962->15985 15991 408450 15962->15991 15963 40675c 21 API calls 15971 4085df 15963->15971 15966 4084a7 RegOpenKeyExA 15964->15966 15964->15991 15965 408626 GetTempPathA 15997 408638 15965->15997 15968 4084c0 RegQueryValueExA 15966->15968 15969 40852f 15966->15969 15972 408521 RegCloseKey 15968->15972 15973 4084dd 15968->15973 15976 408564 RegOpenKeyExA 15969->15976 15983 4085a5 15969->15983 15970 4086ad 15974 408762 15970->15974 15975 407e2f 6 API calls 15970->15975 15971->15965 15971->15974 15971->15997 15972->15969 15973->15972 15980 40ebcc 4 API calls 15973->15980 15974->15957 15979 40ec2e codecvt 4 API calls 15974->15979 15984 4086bb 15975->15984 15977 408573 RegSetValueExA RegCloseKey 15976->15977 15976->15983 15977->15983 15978 40875b DeleteFileA 15978->15974 15979->15957 15982 4084f0 15980->15982 15982->15972 15986 4084f8 RegQueryValueExA 15982->15986 15988 40ec2e codecvt 4 API calls 15983->15988 15983->15991 15984->15978 15992 4086e0 lstrcpyA lstrlenA 15984->15992 15989 4083fd RegQueryValueExA 15985->15989 15985->15991 15986->15972 15987 408515 15986->15987 15990 40ec2e codecvt 4 API calls 15987->15990 15988->15991 15993 40842d RegSetValueExA 15989->15993 15994 40841e 15989->15994 15995 40851d 15990->15995 15991->15963 15991->15971 15996 407fcf 64 API calls 15992->15996 15998 408447 RegCloseKey 15993->15998 15994->15993 15994->15998 15995->15972 15999 408719 CreateProcessA 15996->15999 16426 406ba7 IsBadCodePtr 15997->16426 15998->15991 16000 40873d CloseHandle CloseHandle 15999->16000 16001 40874f 15999->16001 16000->15974 16002 407ee6 64 API calls 16001->16002 16003 408754 16002->16003 16004 407ead 6 API calls 16003->16004 16005 40875a 16004->16005 16005->15978 16022 40a4c7 GetTickCount 16006->16022 16009 40c300 GetTickCount 16011 40c337 16009->16011 16010 40c326 16010->16011 16014 40c32b GetTickCount 16010->16014 16016 40c363 GetTickCount 16011->16016 16021 40c45e 16011->16021 16012 40c4d2 16012->15906 16013 40c4ab InterlockedIncrement CreateThread 16013->16012 16015 40c4cb CloseHandle 16013->16015 16027 40b535 16013->16027 16014->16011 16015->16012 16017 40c373 16016->16017 16016->16021 16018 40c378 GetTickCount 16017->16018 16019 40c37f 16017->16019 16018->16019 16020 40c43b GetTickCount 16019->16020 16020->16021 16021->16012 16021->16013 16023 40a4f7 InterlockedExchange 16022->16023 16024 40a500 16023->16024 16025 40a4e4 GetTickCount 16023->16025 16024->16009 16024->16010 16024->16021 16025->16024 16026 40a4ef Sleep 16025->16026 16026->16023 16028 40b566 16027->16028 16029 40ebcc 4 API calls 16028->16029 16030 40b587 16029->16030 16031 40ebcc 4 API calls 16030->16031 16067 40b590 16031->16067 16032 40bdcd InterlockedDecrement 16033 40bde2 16032->16033 16035 40ec2e codecvt 4 API calls 16033->16035 16036 40bdea 16035->16036 16038 40ec2e codecvt 4 API calls 16036->16038 16037 40bdb7 Sleep 16037->16067 16039 40bdf2 16038->16039 16041 40be05 16039->16041 16042 40ec2e codecvt 4 API calls 16039->16042 16040 40bdcc 16040->16032 16042->16041 16043 40ebed 8 API calls 16043->16067 16046 40b6b6 lstrlenA 16046->16067 16047 4030b5 2 API calls 16047->16067 16048 40e819 11 API calls 16048->16067 16049 40b6ed lstrcpyA 16102 405ce1 16049->16102 16052 40b731 lstrlenA 16052->16067 16053 40b71f lstrcmpA 16053->16052 16053->16067 16054 40b772 GetTickCount 16054->16067 16055 40bd49 InterlockedIncrement 16199 40a628 16055->16199 16058 40b7ce InterlockedIncrement 16112 40acd7 16058->16112 16059 40bc5b InterlockedIncrement 16059->16067 16062 40b912 GetTickCount 16062->16067 16063 40b826 InterlockedIncrement 16063->16054 16064 40b932 GetTickCount 16064->16067 16068 40bc6d InterlockedIncrement 16064->16068 16065 40bcdc closesocket 16065->16067 16066 405ce1 22 API calls 16066->16067 16067->16032 16067->16037 16067->16040 16067->16043 16067->16046 16067->16047 16067->16048 16067->16049 16067->16052 16067->16053 16067->16054 16067->16055 16067->16058 16067->16059 16067->16062 16067->16063 16067->16064 16067->16065 16067->16066 16069 4038f0 6 API calls 16067->16069 16073 40bba6 InterlockedIncrement 16067->16073 16075 40bc4c closesocket 16067->16075 16076 405ded 12 API calls 16067->16076 16078 40ba71 wsprintfA 16067->16078 16079 40ab81 lstrcpynA InterlockedIncrement 16067->16079 16081 40a7c1 22 API calls 16067->16081 16082 40ef1e lstrlenA 16067->16082 16084 403e10 16067->16084 16087 403e4f 16067->16087 16090 40384f 16067->16090 16110 40a7a3 inet_ntoa 16067->16110 16117 40abee 16067->16117 16129 401feb GetTickCount 16067->16129 16130 40a688 16067->16130 16153 403cfb 16067->16153 16156 40b3c5 16067->16156 16187 40ab81 16067->16187 16068->16067 16069->16067 16073->16067 16075->16067 16076->16067 16133 40a7c1 16078->16133 16079->16067 16081->16067 16082->16067 16085 4030fa 4 API calls 16084->16085 16086 403e1d 16085->16086 16086->16067 16088 4030fa 4 API calls 16087->16088 16089 403e5c 16088->16089 16089->16067 16091 4030fa 4 API calls 16090->16091 16092 403863 16091->16092 16093 4038b9 16092->16093 16094 403889 16092->16094 16101 4038b2 16092->16101 16208 4035f9 16093->16208 16202 403718 16094->16202 16099 4035f9 6 API calls 16099->16101 16100 403718 6 API calls 16100->16101 16101->16067 16103 405cf4 16102->16103 16104 405cec 16102->16104 16106 404bd1 4 API calls 16103->16106 16214 404bd1 GetTickCount 16104->16214 16107 405d02 16106->16107 16219 405472 16107->16219 16111 40a7b9 16110->16111 16111->16067 16113 40f315 14 API calls 16112->16113 16114 40aceb 16113->16114 16115 40f315 14 API calls 16114->16115 16116 40acff 16114->16116 16115->16116 16116->16067 16118 40abfb 16117->16118 16121 40ac65 16118->16121 16282 402f22 16118->16282 16120 40f315 14 API calls 16120->16121 16121->16120 16122 40ac8a 16121->16122 16123 40ac6f 16121->16123 16122->16067 16125 40ab81 2 API calls 16123->16125 16124 40ac23 16124->16121 16126 402684 2 API calls 16124->16126 16127 40ac81 16125->16127 16126->16124 16290 4038f0 16127->16290 16129->16067 16304 40a63d 16130->16304 16132 40a696 16132->16067 16134 40a87d lstrlenA send 16133->16134 16135 40a7df 16133->16135 16136 40a899 16134->16136 16137 40a8bf 16134->16137 16135->16134 16141 40a7fa wsprintfA 16135->16141 16144 40a80a 16135->16144 16145 40a8f2 16135->16145 16138 40a8a5 wsprintfA 16136->16138 16146 40a89e 16136->16146 16139 40a8c4 send 16137->16139 16137->16145 16138->16146 16142 40a8d8 wsprintfA 16139->16142 16139->16145 16140 40a978 recv 16140->16145 16147 40a982 16140->16147 16141->16144 16142->16146 16143 40a9b0 wsprintfA 16143->16146 16144->16134 16145->16140 16145->16143 16145->16147 16146->16067 16147->16146 16148 4030b5 2 API calls 16147->16148 16149 40ab05 16148->16149 16150 40e819 11 API calls 16149->16150 16151 40ab17 16150->16151 16152 40a7a3 inet_ntoa 16151->16152 16152->16146 16154 4030fa 4 API calls 16153->16154 16155 403d0b 16154->16155 16155->16067 16157 405ce1 22 API calls 16156->16157 16158 40b3e6 16157->16158 16159 405ce1 22 API calls 16158->16159 16161 40b404 16159->16161 16160 40b440 16163 40ef7c 3 API calls 16160->16163 16161->16160 16162 40ef7c 3 API calls 16161->16162 16164 40b42b 16162->16164 16165 40b458 wsprintfA 16163->16165 16166 40ef7c 3 API calls 16164->16166 16167 40ef7c 3 API calls 16165->16167 16166->16160 16168 40b480 16167->16168 16169 40ef7c 3 API calls 16168->16169 16170 40b493 16169->16170 16171 40ef7c 3 API calls 16170->16171 16172 40b4bb 16171->16172 16309 40ad89 GetLocalTime SystemTimeToFileTime 16172->16309 16176 40b4cc 16177 40ef7c 3 API calls 16176->16177 16178 40b4dd 16177->16178 16179 40b211 7 API calls 16178->16179 16180 40b4ec 16179->16180 16181 40ef7c 3 API calls 16180->16181 16182 40b4fd 16181->16182 16183 40b211 7 API calls 16182->16183 16184 40b509 16183->16184 16185 40ef7c 3 API calls 16184->16185 16186 40b51a 16185->16186 16186->16067 16188 40ab8c 16187->16188 16189 40abe9 GetTickCount 16187->16189 16188->16189 16190 40aba8 lstrcpynA 16188->16190 16191 40abe1 InterlockedIncrement 16188->16191 16192 40a51d 16189->16192 16190->16188 16191->16188 16193 40a4c7 4 API calls 16192->16193 16194 40a52c 16193->16194 16195 40a542 GetTickCount 16194->16195 16197 40a539 GetTickCount 16194->16197 16195->16197 16198 40a56c 16197->16198 16198->16067 16200 40a4c7 4 API calls 16199->16200 16201 40a633 16200->16201 16201->16067 16203 40f04e 4 API calls 16202->16203 16205 40372a 16203->16205 16204 403847 16204->16100 16204->16101 16205->16204 16206 4037b3 GetCurrentThreadId 16205->16206 16206->16205 16207 4037c8 GetCurrentThreadId 16206->16207 16207->16205 16209 40f04e 4 API calls 16208->16209 16213 40360c 16209->16213 16210 4036f1 16210->16099 16210->16101 16211 4036da GetCurrentThreadId 16211->16210 16212 4036e5 GetCurrentThreadId 16211->16212 16212->16210 16213->16210 16213->16211 16215 404bff InterlockedExchange 16214->16215 16216 404c08 16215->16216 16217 404bec GetTickCount 16215->16217 16216->16103 16217->16216 16218 404bf7 Sleep 16217->16218 16218->16215 16238 404763 16219->16238 16221 405b58 16248 404699 16221->16248 16224 404763 lstrlenA 16225 405b6e 16224->16225 16269 404f9f 16225->16269 16227 405b79 16227->16067 16229 405549 lstrlenA 16230 40548a 16229->16230 16230->16221 16232 40558d lstrcpynA 16230->16232 16233 404ae6 8 API calls 16230->16233 16234 405a9f lstrcpyA 16230->16234 16235 405935 lstrcpynA 16230->16235 16236 405472 13 API calls 16230->16236 16237 4058e7 lstrcpyA 16230->16237 16242 404ae6 16230->16242 16246 40ef7c lstrlenA lstrlenA lstrlenA 16230->16246 16232->16230 16233->16230 16234->16230 16235->16230 16236->16230 16237->16230 16240 40477a 16238->16240 16239 404859 16239->16230 16240->16239 16241 40480d lstrlenA 16240->16241 16241->16240 16243 404af3 16242->16243 16245 404b03 16242->16245 16244 40ebed 8 API calls 16243->16244 16244->16245 16245->16229 16247 40efb4 16246->16247 16247->16230 16274 4045b3 16248->16274 16251 4045b3 7 API calls 16252 4046c6 16251->16252 16253 4045b3 7 API calls 16252->16253 16254 4046d8 16253->16254 16255 4045b3 7 API calls 16254->16255 16256 4046ea 16255->16256 16257 4045b3 7 API calls 16256->16257 16258 4046ff 16257->16258 16259 4045b3 7 API calls 16258->16259 16260 404711 16259->16260 16261 4045b3 7 API calls 16260->16261 16262 404723 16261->16262 16263 40ef7c 3 API calls 16262->16263 16264 404735 16263->16264 16265 40ef7c 3 API calls 16264->16265 16266 40474a 16265->16266 16267 40ef7c 3 API calls 16266->16267 16268 40475c 16267->16268 16268->16224 16270 404fac 16269->16270 16272 404fb0 16269->16272 16270->16227 16271 404ffd 16271->16227 16272->16271 16273 404fd5 IsBadCodePtr 16272->16273 16273->16272 16275 4045c1 16274->16275 16277 4045c8 16274->16277 16276 40ebcc 4 API calls 16275->16276 16276->16277 16278 40ebcc 4 API calls 16277->16278 16280 4045e1 16277->16280 16278->16280 16279 404691 16279->16251 16280->16279 16281 40ef7c 3 API calls 16280->16281 16281->16280 16297 402d21 GetModuleHandleA 16282->16297 16285 402fcf GetProcessHeap HeapFree 16289 402f44 16285->16289 16286 402f4f 16288 402f6b GetProcessHeap HeapFree 16286->16288 16287 402f85 16287->16285 16287->16287 16288->16289 16289->16124 16291 403900 16290->16291 16292 403980 16290->16292 16293 4030fa 4 API calls 16291->16293 16292->16122 16296 40390a 16293->16296 16294 40391b GetCurrentThreadId 16294->16296 16295 403939 GetCurrentThreadId 16295->16296 16296->16292 16296->16294 16296->16295 16298 402d46 LoadLibraryA 16297->16298 16299 402d5b GetProcAddress 16297->16299 16298->16299 16301 402d54 16298->16301 16299->16301 16303 402d6b 16299->16303 16300 402d97 GetProcessHeap HeapAlloc 16300->16301 16300->16303 16301->16286 16301->16287 16301->16289 16302 402db5 lstrcpynA 16302->16303 16303->16300 16303->16301 16303->16302 16305 40a645 16304->16305 16306 40a64d 16304->16306 16305->16132 16307 40a66e 16306->16307 16308 40a65e GetTickCount 16306->16308 16307->16132 16308->16307 16310 40adbf 16309->16310 16334 40ad08 gethostname 16310->16334 16313 4030b5 2 API calls 16314 40add3 16313->16314 16315 40a7a3 inet_ntoa 16314->16315 16317 40ade4 16314->16317 16315->16317 16316 40ae85 wsprintfA 16318 40ef7c 3 API calls 16316->16318 16317->16316 16319 40ae36 wsprintfA wsprintfA 16317->16319 16320 40aebb 16318->16320 16321 40ef7c 3 API calls 16319->16321 16322 40ef7c 3 API calls 16320->16322 16321->16317 16323 40aed2 16322->16323 16324 40b211 16323->16324 16325 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16324->16325 16326 40b2af GetLocalTime 16324->16326 16327 40b2d2 16325->16327 16326->16327 16328 40b2d9 SystemTimeToFileTime 16327->16328 16329 40b31c GetTimeZoneInformation 16327->16329 16330 40b2ec 16328->16330 16331 40b33a wsprintfA 16329->16331 16332 40b312 FileTimeToSystemTime 16330->16332 16331->16176 16332->16329 16335 40ad71 16334->16335 16340 40ad26 lstrlenA 16334->16340 16337 40ad85 16335->16337 16338 40ad79 lstrcpyA 16335->16338 16337->16313 16338->16337 16339 40ad68 lstrlenA 16339->16335 16340->16335 16340->16339 16342 40f428 14 API calls 16341->16342 16343 40198a 16342->16343 16344 401990 closesocket 16343->16344 16345 401998 16343->16345 16344->16345 16345->15937 16347 402d21 6 API calls 16346->16347 16348 402f01 16347->16348 16352 402f0f 16348->16352 16362 402df2 GetModuleHandleA 16348->16362 16350 402684 2 API calls 16351 402f1d 16350->16351 16351->15939 16352->16350 16353 402f1f 16352->16353 16353->15939 16358 401c80 16354->16358 16355 401d1c 16355->16355 16359 401d47 wsprintfA 16355->16359 16356 401cc2 wsprintfA 16357 402684 2 API calls 16356->16357 16357->16358 16358->16355 16358->16356 16361 401d79 16358->16361 16360 402684 2 API calls 16359->16360 16360->16361 16361->15935 16363 402e10 LoadLibraryA 16362->16363 16364 402e0b 16362->16364 16365 402e17 16363->16365 16364->16363 16364->16365 16366 402ef1 16365->16366 16367 402e28 GetProcAddress 16365->16367 16366->16352 16367->16366 16368 402e3e GetProcessHeap HeapAlloc 16367->16368 16370 402e62 16368->16370 16369 402ede GetProcessHeap HeapFree 16369->16366 16370->16366 16370->16369 16371 402e7f htons inet_addr 16370->16371 16372 402ea5 gethostbyname 16370->16372 16374 402ceb 16370->16374 16371->16370 16371->16372 16372->16370 16375 402cf2 16374->16375 16377 402d1c 16375->16377 16378 402d0e Sleep 16375->16378 16379 402a62 GetProcessHeap HeapAlloc 16375->16379 16377->16370 16378->16375 16378->16377 16380 402a92 16379->16380 16381 402a99 socket 16379->16381 16380->16375 16382 402cd3 GetProcessHeap HeapFree 16381->16382 16383 402ab4 16381->16383 16382->16380 16383->16382 16397 402abd 16383->16397 16384 402adb htons 16399 4026ff 16384->16399 16386 402b04 select 16386->16397 16387 402ca4 16388 402cb3 GetProcessHeap HeapFree closesocket 16387->16388 16388->16380 16389 402b3f recv 16389->16397 16390 402b66 htons 16390->16387 16390->16397 16391 402b87 htons 16391->16387 16391->16397 16394 402bf3 GetProcessHeap HeapAlloc 16394->16397 16395 402c17 htons 16414 402871 16395->16414 16397->16384 16397->16386 16397->16387 16397->16388 16397->16389 16397->16390 16397->16391 16397->16394 16397->16395 16398 402c4d GetProcessHeap HeapFree 16397->16398 16406 402923 16397->16406 16418 402904 16397->16418 16398->16397 16400 40271d 16399->16400 16401 402717 16399->16401 16403 40272b GetTickCount htons 16400->16403 16402 40ebcc 4 API calls 16401->16402 16402->16400 16404 4027cc htons htons sendto 16403->16404 16405 40278a 16403->16405 16404->16397 16405->16404 16407 402944 16406->16407 16409 40293d 16406->16409 16422 402816 htons 16407->16422 16409->16397 16410 402871 htons 16411 402950 16410->16411 16411->16409 16411->16410 16412 4029bd htons htons htons 16411->16412 16412->16409 16413 4029f6 GetProcessHeap HeapAlloc 16412->16413 16413->16409 16413->16411 16415 4028e3 16414->16415 16417 402889 16414->16417 16415->16397 16416 4028c3 htons 16416->16415 16416->16417 16417->16415 16417->16416 16419 402921 16418->16419 16420 402908 16418->16420 16419->16397 16421 402909 GetProcessHeap HeapFree 16420->16421 16421->16419 16421->16421 16423 40286b 16422->16423 16424 402836 16422->16424 16423->16411 16424->16423 16425 40285c htons 16424->16425 16425->16423 16425->16424 16427 406bc0 16426->16427 16428 406bbc 16426->16428 16429 40ebcc 4 API calls 16427->16429 16439 406bd4 16427->16439 16428->15970 16430 406be4 16429->16430 16431 406c07 CreateFileA 16430->16431 16432 406bfc 16430->16432 16430->16439 16433 406c34 WriteFile 16431->16433 16434 406c2a 16431->16434 16435 40ec2e codecvt 4 API calls 16432->16435 16437 406c49 CloseHandle DeleteFileA 16433->16437 16438 406c5a CloseHandle 16433->16438 16436 40ec2e codecvt 4 API calls 16434->16436 16435->16439 16436->16439 16437->16434 16440 40ec2e codecvt 4 API calls 16438->16440 16439->15970 16440->16439 14663 2ab109a 14666 2ab10a4 14663->14666 14667 2ab10b3 14666->14667 14670 2ab1844 14667->14670 14671 2ab185f Module32First 14670->14671 14673 2ab1893 14671->14673 14675 2ab10a3 14671->14675 14676 2ab1503 14673->14676 14677 2ab152e 14676->14677 14678 2ab1577 14677->14678 14679 2ab153f VirtualAlloc 14677->14679 14678->14678 14679->14678 14802 2a70005 14807 2a7092b GetPEB 14802->14807 14804 2a70030 14809 2a7003c 14804->14809 14808 2a70972 14807->14808 14808->14804 14810 2a70049 14809->14810 14824 2a70e0f SetErrorMode SetErrorMode 14810->14824 14815 2a70265 14816 2a702ce VirtualProtect 14815->14816 14818 2a7030b 14816->14818 14817 2a70439 VirtualFree 14822 2a705f4 LoadLibraryA 14817->14822 14823 2a704be 14817->14823 14818->14817 14819 2a704e3 LoadLibraryA 14819->14823 14821 2a708c7 14822->14821 14823->14819 14823->14822 14825 2a70223 14824->14825 14826 2a70d90 14825->14826 14827 2a70dad 14826->14827 14828 2a70dbb GetPEB 14827->14828 14829 2a70238 VirtualAlloc 14827->14829 14828->14829 14829->14815
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe$C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$D$P$\$qeuwztgf
                                                                                            • API String ID: 2089075347-2445309917
                                                                                            • Opcode ID: 51b3fdeb16769e607b7420a4e79e81e5addf88b96e881b4fbfa3e3990a533921
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 51b3fdeb16769e607b7420a4e79e81e5addf88b96e881b4fbfa3e3990a533921
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 543 40637c-406384 544 406386-406389 543->544 545 40638a-4063b4 GetModuleHandleA VirtualAlloc 543->545 546 4063f5-4063f7 545->546 547 4063b6-4063d4 call 40ee08 VirtualAllocEx 545->547 549 40640b-40640f 546->549 547->546 551 4063d6-4063f3 call 4062b7 WriteProcessMemory 547->551 551->546 554 4063f9-40640a 551->554 554->549
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 332 4075dc 329->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 40405e-40407b CreateEventA 387 404084-4040a8 call 403ecd call 404000 386->387 388 40407d-404081 386->388 393 404130-40413e call 40ee2a 387->393 394 4040ae-4040be call 40ee2a 387->394 399 40413f-404165 call 403ecd CreateNamedPipeA 393->399 394->393 400 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 394->400 405 404167-404174 Sleep 399->405 406 404188-404193 ConnectNamedPipe 399->406 417 4040f3-4040ff 400->417 418 404127-40412a CloseHandle 400->418 405->399 411 404176-404182 CloseHandle 405->411 409 404195-4041a5 GetLastError 406->409 410 4041ab-4041c0 call 403f8c 406->410 409->410 413 40425e-404265 DisconnectNamedPipe 409->413 410->406 419 4041c2-4041f2 call 403f18 call 403f8c 410->419 411->406 413->406 417->418 420 404101-404121 call 403f18 ExitProcess 417->420 418->393 419->413 427 4041f4-404200 419->427 427->413 428 404202-40420b call 403f8c 427->428 430 404210-404215 428->430 430->413 431 404217-40421b 430->431 431->413 432 40421d-404230 call 403f8c 431->432 432->413 435 404232-404236 432->435 435->406 436 40423c-404251 call 403f18 435->436 439 404253-404259 436->439 440 40426a-404276 CloseHandle * 2 call 40e318 436->440 439->406 442 40427b 440->442 442->442
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 443 2a7003c-2a70047 444 2a7004c-2a70263 call 2a70a3f call 2a70e0f call 2a70d90 VirtualAlloc 443->444 445 2a70049 443->445 460 2a70265-2a70289 call 2a70a69 444->460 461 2a7028b-2a70292 444->461 445->444 466 2a702ce-2a703c2 VirtualProtect call 2a70cce call 2a70ce7 460->466 463 2a702a1-2a702b0 461->463 465 2a702b2-2a702cc 463->465 463->466 465->463 472 2a703d1-2a703e0 466->472 473 2a703e2-2a70437 call 2a70ce7 472->473 474 2a70439-2a704b8 VirtualFree 472->474 473->472 476 2a705f4-2a705fe 474->476 477 2a704be-2a704cd 474->477 480 2a70604-2a7060d 476->480 481 2a7077f-2a70789 476->481 479 2a704d3-2a704dd 477->479 479->476 485 2a704e3-2a70505 LoadLibraryA 479->485 480->481 486 2a70613-2a70637 480->486 483 2a707a6-2a707b0 481->483 484 2a7078b-2a707a3 481->484 487 2a707b6-2a707cb 483->487 488 2a7086e-2a708be LoadLibraryA 483->488 484->483 489 2a70517-2a70520 485->489 490 2a70507-2a70515 485->490 491 2a7063e-2a70648 486->491 492 2a707d2-2a707d5 487->492 495 2a708c7-2a708f9 488->495 493 2a70526-2a70547 489->493 490->493 491->481 494 2a7064e-2a7065a 491->494 496 2a707d7-2a707e0 492->496 497 2a70824-2a70833 492->497 498 2a7054d-2a70550 493->498 494->481 499 2a70660-2a7066a 494->499 500 2a70902-2a7091d 495->500 501 2a708fb-2a70901 495->501 502 2a707e4-2a70822 496->502 503 2a707e2 496->503 507 2a70839-2a7083c 497->507 504 2a70556-2a7056b 498->504 505 2a705e0-2a705ef 498->505 506 2a7067a-2a70689 499->506 501->500 502->492 503->497 508 2a7056f-2a7057a 504->508 509 2a7056d 504->509 505->479 510 2a70750-2a7077a 506->510 511 2a7068f-2a706b2 506->511 507->488 512 2a7083e-2a70847 507->512 514 2a7057c-2a70599 508->514 515 2a7059b-2a705bb 508->515 509->505 510->491 516 2a706b4-2a706ed 511->516 517 2a706ef-2a706fc 511->517 518 2a7084b-2a7086c 512->518 519 2a70849 512->519 526 2a705bd-2a705db 514->526 515->526 516->517 520 2a706fe-2a70748 517->520 521 2a7074b 517->521 518->507 519->488 520->521 521->506 526->498
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02A7024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 32d3fd7280cd05cad9257b11b7c02c66dc2b2caaf79ce192a75636483f59f898
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: F5526975A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 527 40977c-4097b9 call 40ee2a CreateProcessA 530 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 527->530 531 4097bb-4097bd 527->531 535 409801-40981c call 40637c 530->535 536 4097f5 530->536 532 409864-409866 531->532 537 4097f6-4097ff TerminateProcess 535->537 540 40981e-409839 WriteProcessMemory 535->540 536->537 537->531 540->536 541 40983b-409856 Wow64SetThreadContext 540->541 541->536 542 409858-409863 ResumeThread 541->542 542->532
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 555 403f8c-403fc0 ReadFile 556 403ff0-403ff3 555->556 557 403fc2-403fcd GetLastError 555->557 558 403ffa 556->558 560 403ff5-403ff8 556->560 557->558 559 403fcf-403fee WaitForSingleObject GetOverlappedResult 557->559 561 403ffc-403fff 558->561 559->556 559->558 560->561
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 562 404000-404008 563 40400b-40402a CreateFileA 562->563 564 404057 563->564 565 40402c-404035 GetLastError 563->565 568 404059-40405c 564->568 566 404052 565->566 567 404037-40403a 565->567 569 404054-404056 566->569 567->566 570 40403c-40403f 567->570 568->569 570->568 571 404041-404050 Sleep 570->571 571->563 571->566
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 573 406e36-406e5d GetUserNameW 574 406ebe-406ec2 573->574 575 406e5f-406e95 LookupAccountNameW 573->575 575->574 576 406e97-406e9b 575->576 577 406ebb-406ebd 576->577 578 406e9d-406ea3 576->578 577->574 578->577 579 406ea5-406eaa 578->579 580 406eb7-406eb9 579->580 581 406eac-406eb0 579->581 580->574 581->577 582 406eb2-406eb5 581->582 582->577 582->580
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 583 2a70e0f-2a70e24 SetErrorMode * 2 584 2a70e26 583->584 585 2a70e2b-2a70e2c 583->585 584->585
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02A70223,?,?), ref: 02A70E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02A70223,?,?), ref: 02A70E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: c224823c744e8b4c61bd3faedf22d19e0189772e116107a51520a2286331485b
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: FCD0123114512877D7002B94DC09BCD7B1CDF09B66F008011FB0DD9080CB70954046E9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 586 406dc2-406dd5 587 406e33-406e35 586->587 588 406dd7-406df1 call 406cc9 call 40ef00 586->588 593 406df4-406df9 588->593 593->593 594 406dfb-406e00 593->594 595 406e02-406e22 GetVolumeInformationA 594->595 596 406e24 594->596 595->596 597 406e2e 595->597 596->597 597->587
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 598 2ab1844-2ab185d 599 2ab185f-2ab1861 598->599 600 2ab1868-2ab1874 599->600 601 2ab1863 599->601 603 2ab1876-2ab187c 600->603 604 2ab1884-2ab1891 Module32First 600->604 601->600 603->604 611 2ab187e-2ab1882 603->611 605 2ab189a-2ab18a2 604->605 606 2ab1893-2ab1894 call 2ab1503 604->606 609 2ab1899 606->609 609->605 611->599 611->604
                                                                                            APIs
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02AB188C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160657446.0000000002AAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2aad000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FirstModule32
                                                                                            • String ID:
                                                                                            • API String ID: 3757679902-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 06af0f0b55c9ccdd9452eaa6d0492f039699fc6962140b3b47a7ece2ec782a1b
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: FBF062321007116FDB213BF5A8DCBEA76ECFF49665F100528E64A910C1DF70E9458A61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 612 409892-4098c0 613 4098c2-4098c5 612->613 614 4098d9 612->614 613->614 615 4098c7-4098d7 613->615 616 4098e0-4098f1 SetServiceStatus 614->616 615->616
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 617 2ab1503-2ab153d call 2ab1816 620 2ab158b 617->620 621 2ab153f-2ab1572 VirtualAlloc call 2ab1590 617->621 620->620 623 2ab1577-2ab1589 621->623 623->620
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02AB1554
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160657446.0000000002AAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2aad000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 531eaac7c4d96c922100ac7a87a69ad8a7fac2f1bfbbb8e0346867d1278acd66
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 35112B79A40208EFDB01DF98CA95E98BFF5AF08750F1580A4F9489B362D771EA50DF90

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 624 4098f2-4098f4 625 4098f6-409902 call 404280 624->625 628 409904-409913 Sleep 625->628 629 409917 625->629 628->625 630 409915 628->630 631 409919-409942 call 402544 call 40977c 629->631 632 40995e-409960 629->632 630->629 636 409947-409957 call 40ee2a 631->636 636->632
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 02A765F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02A76610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02A76631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02A76652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 91d8e4455adb412d360fcbefd51214dd56fcd78b1d35ba433a00ab05af252b99
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 8F114F71600218BFDB259F65DD45F9B3FACEB05BA5F104024FA09A7251DBB1DD008AA8
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02A79E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02A79FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02A79FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 02A7A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02A7A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02A7A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02A7A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 02A7A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 02A7A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02A79F13
                                                                                              • Part of subcall function 02A77029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02A77081
                                                                                              • Part of subcall function 02A76F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\iwmorlyx,02A77043), ref: 02A76F4E
                                                                                              • Part of subcall function 02A76F30: GetProcAddress.KERNEL32(00000000), ref: 02A76F55
                                                                                              • Part of subcall function 02A76F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02A76F7B
                                                                                              • Part of subcall function 02A76F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02A76F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02A7A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02A7A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02A7A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02A7A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 02A7A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02A7A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02A7A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 02A7A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02A7A2F4
                                                                                            • wsprintfA.USER32 ref: 02A7A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02A7A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02A7A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02A7A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02A7A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02A7A1D1
                                                                                              • Part of subcall function 02A79966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02A7999D
                                                                                              • Part of subcall function 02A79966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02A799BD
                                                                                              • Part of subcall function 02A79966: RegCloseKey.ADVAPI32(?), ref: 02A799C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02A7A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02A7A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 02A7A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 34a7a4f8073281681ce54dad7b3482ef90154d9983337e3af99793530f55e198
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 88F132B1D40259BFDF11DFA08D88FEF7BBDAB08304F0444A6E605E2141EB758A858F69
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$D
                                                                                            • API String ID: 2976863881-2152778875
                                                                                            • Opcode ID: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02A77D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02A77D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02A77D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02A77DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02A77DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02A77DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A77DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A77DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02A77E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02A77E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02A77E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02A77E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$D
                                                                                            • API String ID: 2976863881-2152778875
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 81012a10efef0bd9fbd97f21a6845b65fe5ac994851f800d8eed89598f63cb57
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 28A13072900219AFDF11DFA5DD88FEFBBB9FB08304F04816AE505E6150DB758A85CB68
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02A77A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02A77ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02A77ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02A77B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02A77B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02A77B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A77B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A77B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02A77B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02A77B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02A77B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02A77B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02A77BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02A77BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02A77C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02A77C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A77CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A77CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02A77CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02A77CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02A77CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 261f536df26bc27f7138e5e4e1e6509b459b6fd9bbf8c767ab94f968aeaf6828
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 5F813E72900219AFDB11CFA5DD84FEEBBB8AF0C304F14816AE605E6150DB759A45CFA8
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$localcfg
                                                                                            • API String ID: 237177642-1714200430
                                                                                            • Opcode ID: 15b9b55687a82b41d6800692092713c8c708d1165b0f2aaaab3cbeed006d9429
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 15b9b55687a82b41d6800692092713c8c708d1165b0f2aaaab3cbeed006d9429
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02A7865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02A7867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02A786A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02A786B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
                                                                                            • API String ID: 237177642-595768964
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 78f432e62eb4a801af843fe09e1ccd1a216145993f94ce288b6fa2f66fdbfe6b
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: CCC1A272940108BEEB11EBA4DE88EEF7BBDEB04304F144066F605E2050EF744A94AF69
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02A71601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02A717D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 6f934caf2e61c6602e4c79946ebd85e1a8ab8ee5a01971e03227b52035a6b027
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 77F17BB15083419FD720CF64CC88BABB7F5FB88305F00892DF69A97290DBB49945CB5A
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02A776D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02A77757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02A7778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02A778B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02A7794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02A7796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02A7797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02A779AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02A77A56
                                                                                              • Part of subcall function 02A7F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,02A7772A,?), ref: 02A7F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02A779F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02A77A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 2acba5b7e67d858c66da3d2177b47453645b7b943fb4788889b6dd017f738969
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 5BC18372940209AFEB11DBA4DD84FEEBBB9EF49710F1440A5E504E6190EF719A84CB68
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A72CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02A72D07
                                                                                            • htons.WS2_32(00000000), ref: 02A72D42
                                                                                            • select.WS2_32 ref: 02A72D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02A72DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02A72E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 5b5248153aaf16d2b248ac865c9e913e3098dc003a4634e28e49e13ed2f0a7a1
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: AD61B071504305AFC7209F64DC48BABBBF8EB88755F04481AFD8597251DBB5D880CBAA
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02A73068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02A73078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02A73095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A730B6
                                                                                            • htons.WS2_32(00000035), ref: 02A730EF
                                                                                            • inet_addr.WS2_32(?), ref: 02A730FA
                                                                                            • gethostbyname.WS2_32(?), ref: 02A7310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02A7314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 8058fdc25c8d5a2da641762846a0e067de04acd0053e034b33782a086dd7873b
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 4631E831A01206BBDF119BB89C88BAE77B8EF04364F1581A5F918E3290DF74D545DB5C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 02A795A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02A795D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02A795DC
                                                                                            • wsprintfA.USER32 ref: 02A79635
                                                                                            • wsprintfA.USER32 ref: 02A79673
                                                                                            • wsprintfA.USER32 ref: 02A796F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02A79758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02A7978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02A797D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: afbdef89e3950f32a56ced8988efa639823a6500036a76d877311f28c2d13aff
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: DCA169B2940209EFEB21DFA4CD85FDB3BADAB08741F104026FA1596151EBB59584CFA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 02A767C3
                                                                                            • htonl.WS2_32(?), ref: 02A767DF
                                                                                            • htonl.WS2_32(?), ref: 02A767EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02A768F1
                                                                                            • ExitProcess.KERNEL32 ref: 02A769BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 83654054af3eadbcfebb27a0fb273379080675c0e8a5732220335c41f3a38e10
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: BF615E71A40208AFDB609FB4DC45FEA77E9FB08300F248066FA6DD2161EB759994CF54
                                                                                            APIs
                                                                                            • htons.WS2_32(02A7CC84), ref: 02A7F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 02A7F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 02A7F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 5b63afe2042f16a458bb42a280393b4aac55030b719da6a01dd4abd224bee87d
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: F8315A72900118AFDB10DFA9DC88DEE7BBCEF88310F104566F915E3150EB709B818BA8
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02A72FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02A72FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02A72FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02A73000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A73007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02A73032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 6ea5670b3f23f04f52511b9ce17f4ef9b4a7dd89a943d2d47d739ca60a4f4e48
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 1B217471D41629BBCB219B65DC88EEEBBBCEF08B50F014461F905E7140DBB49AC297D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02A79A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02A79A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02A79A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02A79A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02A79AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02A79AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 7ef955fd1d28c9eda122d1bee262a80ff111091786eb37f120a064fa5f09837d
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: BA216BB1A02219BBDB11DBA1DC48EEF7BBCEF04750F004061BA19E1050EB718A41CBA8
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02A71C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02A71C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02A71C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02A71C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02A71CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02A71D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02A71D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: f22d46dbc04786ab2667790ee946d156548f1d93b8a0d316bcf86f6ffdc2b448
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: DC314B32E00219BFCB119FE4DCC89FEBBF9EB45715B24447AE509A2110DBB54E80DB98
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02A76CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02A76D22
                                                                                            • GetLastError.KERNEL32 ref: 02A76DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02A76DB5
                                                                                            • GetLastError.KERNEL32 ref: 02A76DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02A76DE7
                                                                                            • GetLastError.KERNEL32 ref: 02A76DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: e29f088b684f740503433a04994f7587764372db3e235188a2e9e98843f59ee2
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 2A310372900A49BFCB01DFE4DE88BDE7F7DEB48700F148066E211E3211DB708A458B69
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\iwmorlyx,02A77043), ref: 02A76F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A76F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02A76F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02A76F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\iwmorlyx
                                                                                            • API String ID: 1082366364-3234941893
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: a0a862a7f284562746581e662311edc0f7e52f681fc333cf1e33f337b1924141
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: D02105217813407EF72253359DC8FFB6E5C8B52B24F1840A6F944E6590DFD988D6C2AD
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction ID: 0ca874634632cc7f09a6f93c0023b8d605b5dfa92c07b27ea6fd6d566d757326
                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction Fuzzy Hash: 91712B72A40304BAEF319B94DDC5FEE376EAB40709F244066FA05A6093DF6299C48B5D
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 02A7DF6C: GetCurrentThreadId.KERNEL32 ref: 02A7DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 02A7E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02A76128), ref: 02A7E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 02A7E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 4b05bca5c643e04b5546c83c0668a213b056f3271ca4f32e733dc9a3890df126
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: B731AF32A04706DBDF71CF24CEC4BA6BBE8EF05725F1089AAE55587550DB70E880CB99
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 00a0f1c20717ffad520c2c584d39bc78a2f859fb70f77ccc51ce710bb12ad715
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: AB214A72204619BFDB119BA0ED88FDF3FADEB49A65B108465F502D1090EF70DA409A78
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 02A792E2
                                                                                            • wsprintfA.USER32 ref: 02A79350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02A79375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02A79389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02A79394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A7939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: d10890bbd57a405e915ab87a2c0f7c03097c7ddcb14235e9876b2ca77a28a221
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 9F1157B57401147FE7206B75DE0DFEF3A6EDBC5B11F008066BB05E5090EEB44E558A68
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02A7C6B4
                                                                                            • InterlockedIncrement.KERNEL32(02A7C74B), ref: 02A7C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02A7C747), ref: 02A7C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,02A7C747,00413588,02A78A77), ref: 02A7C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 530d8b5f215d2719d553cebe26c9c3d58c0839234496d46124527bd9ba0443b3
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 825141B1601B419FD7248F29C9D461ABBFAFB48314B50693FE18BC7A90DB74E440CB14
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
                                                                                            • API String ID: 124786226-2080065891
                                                                                            • Opcode ID: af514698247d92645eaa8a26d12ecf441a4c22af2d789d8c6bf78666e30c58a7
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: af514698247d92645eaa8a26d12ecf441a4c22af2d789d8c6bf78666e30c58a7
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02A771E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02A77228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02A77286
                                                                                            • wsprintfA.USER32 ref: 02A7729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 43c842c3fef238a8641dc46b38e446e4e5a9446cb7e06684b206932aa7391687
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 9D311A72A00208BFDB01DFA8DD45BDABBACEF04314F148066F959DB210EB75D7488B98
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02A7B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02A7B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02A7B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 02A7B590
                                                                                            • wsprintfA.USER32 ref: 02A7B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 6ef86061a0427df9abf8efc48d4561fabfd86e7a10edb773a0c3c6c21088c51d
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 7A510FB1D0021DAACF14DFD5DD885EEBBB9BF48304F10856AF505A6150E7B84AC9CFA8
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02A76303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02A7632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 02A763B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02A76405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: a034f138229bcd0c6332b2c2320b283ce8a8c94b515f493a71a914df8407d638
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 02415C71A00A09EFDB14CF58CD84BA9B7B9FF04B58F1881B9E825D7290EB71E940CB54
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02A793C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02A793CD
                                                                                            • CharToOemA.USER32(?,?), ref: 02A793DB
                                                                                            • wsprintfA.USER32 ref: 02A79410
                                                                                              • Part of subcall function 02A792CB: GetTempPathA.KERNEL32(00000400,?), ref: 02A792E2
                                                                                              • Part of subcall function 02A792CB: wsprintfA.USER32 ref: 02A79350
                                                                                              • Part of subcall function 02A792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02A79375
                                                                                              • Part of subcall function 02A792CB: lstrlen.KERNEL32(?,?,00000000), ref: 02A79389
                                                                                              • Part of subcall function 02A792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02A79394
                                                                                              • Part of subcall function 02A792CB: CloseHandle.KERNEL32(00000000), ref: 02A7939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02A79448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 304592a56e23f16e4db978f300cbb7d6dfd134228a95e60e8e8540202d0f7dc2
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 280152F69401187BD721A7619D89EDF777CDB95701F0040A2BB49E2080EAB497C58F79
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 920de0406b014ff37440a384606aad7448a28413dbd8f2f9a50be4f5791c31c7
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: F5E0EC306045119FDB509B28FC88BD577A5AF4A230F058595F854D71A0CB74DD819658
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 02A769E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02A76A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02A76A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02A76BD8
                                                                                              • Part of subcall function 02A7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02A71DCF,?), ref: 02A7EEA8
                                                                                              • Part of subcall function 02A7EE95: HeapFree.KERNEL32(00000000), ref: 02A7EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: e62b52f15aecfc16f0abec82da81adb1a942f74b05cb6e562d5700a022cc5e90
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 0C71377194061DEFDF10DFA4CC80AEEBBBDFB44714F1045AAE615AA190DB309E92CB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,02A7E50A,00000000,00000000,00000000,00020106,00000000,02A7E50A,00000000,000000E4), ref: 02A7E319
                                                                                            • RegSetValueExA.ADVAPI32(02A7E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 02A7E38E
                                                                                            • RegDeleteValueA.ADVAPI32(02A7E50A,?,?,?,?,?,000000C8,004122F8), ref: 02A7E3BF
                                                                                            • RegCloseKey.ADVAPI32(02A7E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,02A7E50A), ref: 02A7E3C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: ddd93ec987cc9cff366bb49aebf579883763ce02ad2332d04003f72b7e9ca761
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 50214971A00219ABDB209FA4ED89EEE7F79EF08750F0080A1F904E6150EB718A54DBA4
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02A7421F
                                                                                            • GetLastError.KERNEL32 ref: 02A74229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02A7423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A7424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: b6f0f42f00c10b8d36facdb175ec6cd2a877bfeff8d431749e1ed60c663e77f3
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 7F01C872515109AFEF01DF90ED84BEFBBBCEB18255F108461F901E2450DB70DA648BBA
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02A741AB
                                                                                            • GetLastError.KERNEL32 ref: 02A741B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02A741C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A741D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 386d04da049268269c34ce5267f2a6eea74304cc9a54bb83fed643e98580cdf2
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 73010C7651111AAFDF01EF90ED84BEF7B7CEB18256F004061F901E2050DB70DA548BB9
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 02A7E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 5bf74b8bdaffc55e7f214871a18d9292a121dc7bc5a384f56ec96abf4661e8b8
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: DAF062312007029BCF20CF25DDC4A82B7E9FB05325B4486AAE554C3460D774A49ACB59
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02A783C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02A78477
                                                                                              • Part of subcall function 02A769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 02A769E5
                                                                                              • Part of subcall function 02A769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02A76A26
                                                                                              • Part of subcall function 02A769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02A76A3A
                                                                                              • Part of subcall function 02A7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02A71DCF,?), ref: 02A7EEA8
                                                                                              • Part of subcall function 02A7EE95: HeapFree.KERNEL32(00000000), ref: 02A7EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
                                                                                            • API String ID: 359188348-2080065891
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 439d53469b9b135a58eee405a489c1e38c8d579b0bc0d1d0fa805a06782dde63
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: EB4160B2940108BEEB20EBA49EC4EFF777DEB04314F1444B6E504D6010FFB45A949B69
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02A7AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02A7B00D
                                                                                              • Part of subcall function 02A7AF6F: gethostname.WS2_32(?,00000080), ref: 02A7AF83
                                                                                              • Part of subcall function 02A7AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02A7AFE6
                                                                                              • Part of subcall function 02A7331C: gethostname.WS2_32(?,00000080), ref: 02A7333F
                                                                                              • Part of subcall function 02A7331C: gethostbyname.WS2_32(?), ref: 02A73349
                                                                                              • Part of subcall function 02A7AA0A: inet_ntoa.WS2_32(00000000), ref: 02A7AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction ID: 5712033c5f6eb3ed96a9e976cdffb49438e0374824a2c962bc898376f618384f
                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction Fuzzy Hash: 0B4130B294020CAFDB25EFA0DD45EEE3BADFF08304F144426FA24D2151EA75DA558F68
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02A79536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 02A7955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 9053f10cb8d9cf1926ee91da214ffba54c30ec6a489dd33ad3924a196cf4af69
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: FC4107B18043A66EFB368B68DCDC7E73BA59B02314F1841E7D482971A2DF744989C719
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02A7B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 02A7BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02A7BA94
                                                                                            • GetTickCount.KERNEL32 ref: 02A7BB79
                                                                                            • GetTickCount.KERNEL32 ref: 02A7BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02A7BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 02A7BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 4e4a4019ed2020db1a7d4239e47260d69e23219ab91fb2aa269004b11a79faa0
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 2D316AB1500248EFDF25DFA4DC84AEEB7B9EB48705F204856FA2482261DF30D685CF28
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 02A770BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02A770F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 3095ceb37734f8372eacf53e00dc213b270158d235e272c03c31361a8ec683b6
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 8A112172A0011CEBDF11CFD5DC84ADEF7BDAB04715F1441A6E501E61A4DB709B88CBA8
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2158741061.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 02A72F88: GetModuleHandleA.KERNEL32(?), ref: 02A72FA1
                                                                                              • Part of subcall function 02A72F88: LoadLibraryA.KERNEL32(?), ref: 02A72FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A731DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02A731E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2160610575.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_2a70000_lfkidgdf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 5aa124aa051e5b4eac7b11f922cb6aeb56fb7c3e8d2143c167a73d950d246b49
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 67519C7190024AAFCF019F64DC88AFAB775FF25305F1541A9EC96C7210EB32DA19CB98

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.1%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1807
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 7900 2b0be31 lstrcmpiA 7901 2b0be55 lstrcmpiA 7900->7901 7907 2b0be71 7900->7907 7902 2b0be61 lstrcmpiA 7901->7902 7901->7907 7905 2b0bfc8 7902->7905 7902->7907 7903 2b0bf62 lstrcmpiA 7904 2b0bf77 lstrcmpiA 7903->7904 7908 2b0bf70 7903->7908 7906 2b0bf8c lstrcmpiA 7904->7906 7904->7908 7906->7908 7907->7903 7912 2b0ebcc 4 API calls 7907->7912 7908->7905 7909 2b0bfc2 7908->7909 7911 2b0ec2e codecvt 4 API calls 7908->7911 7910 2b0ec2e codecvt 4 API calls 7909->7910 7910->7905 7911->7908 7915 2b0beb6 7912->7915 7913 2b0bf5a 7913->7903 7914 2b0ebcc 4 API calls 7914->7915 7915->7903 7915->7905 7915->7913 7915->7914 7916 2b05d34 IsBadWritePtr 7917 2b05d47 7916->7917 7918 2b05d4a 7916->7918 7921 2b05389 7918->7921 7922 2b04bd1 4 API calls 7921->7922 7923 2b053a5 7922->7923 7924 2b04ae6 8 API calls 7923->7924 7927 2b053ad 7924->7927 7925 2b05407 7926 2b04ae6 8 API calls 7926->7927 7927->7925 7927->7926 8096 2b04960 8097 2b0496d 8096->8097 8099 2b0497d 8096->8099 8098 2b0ebed 8 API calls 8097->8098 8098->8099 7928 2b05e21 7929 2b05e36 7928->7929 7930 2b05e29 7928->7930 7932 2b050dc 7930->7932 7933 2b04bd1 4 API calls 7932->7933 7934 2b050f2 7933->7934 7935 2b04ae6 8 API calls 7934->7935 7941 2b050ff 7935->7941 7936 2b05130 7937 2b04ae6 8 API calls 7936->7937 7939 2b05138 7937->7939 7938 2b04ae6 8 API calls 7940 2b05110 lstrcmpA 7938->7940 7943 2b04ae6 8 API calls 7939->7943 7950 2b0516e 7939->7950 7974 2b0513e 7939->7974 7940->7936 7940->7941 7941->7936 7941->7938 7942 2b04ae6 8 API calls 7941->7942 7942->7941 7945 2b0515e 7943->7945 7944 2b04ae6 8 API calls 7946 2b051b6 7944->7946 7948 2b04ae6 8 API calls 7945->7948 7945->7950 7975 2b04a3d 7946->7975 7948->7950 7950->7944 7950->7974 7951 2b04ae6 8 API calls 7952 2b051c7 7951->7952 7953 2b04ae6 8 API calls 7952->7953 7954 2b051d7 7953->7954 7955 2b04ae6 8 API calls 7954->7955 7956 2b051e7 7955->7956 7957 2b04ae6 8 API calls 7956->7957 7956->7974 7958 2b05219 7957->7958 7959 2b04ae6 8 API calls 7958->7959 7960 2b05227 7959->7960 7961 2b04ae6 8 API calls 7960->7961 7962 2b0524f lstrcpyA 7961->7962 7963 2b04ae6 8 API calls 7962->7963 7968 2b05263 7963->7968 7964 2b04ae6 8 API calls 7965 2b05315 7964->7965 7966 2b04ae6 8 API calls 7965->7966 7967 2b05323 7966->7967 7969 2b04ae6 8 API calls 7967->7969 7968->7964 7971 2b05331 7969->7971 7970 2b04ae6 8 API calls 7970->7971 7971->7970 7972 2b04ae6 8 API calls 7971->7972 7971->7974 7973 2b05351 lstrcmpA 7972->7973 7973->7971 7973->7974 7974->7929 7976 2b04a53 7975->7976 7977 2b04a4a 7975->7977 7979 2b04a78 7976->7979 7980 2b0ebed 8 API calls 7976->7980 7978 2b0ebed 8 API calls 7977->7978 7978->7976 7981 2b04aa3 7979->7981 7982 2b04a8e 7979->7982 7980->7979 7983 2b04a9b 7981->7983 7985 2b0ebed 8 API calls 7981->7985 7982->7983 7984 2b0ec2e codecvt 4 API calls 7982->7984 7983->7951 7984->7983 7985->7983 8100 2b04861 IsBadWritePtr 8101 2b04876 8100->8101 8102 2b09961 RegisterServiceCtrlHandlerA 8103 2b0997d 8102->8103 8104 2b099cb 8102->8104 8112 2b09892 8103->8112 8106 2b0999a 8107 2b099ba 8106->8107 8108 2b09892 SetServiceStatus 8106->8108 8107->8104 8110 2b09892 SetServiceStatus 8107->8110 8109 2b099aa 8108->8109 8109->8107 8111 2b098f2 41 API calls 8109->8111 8110->8104 8111->8107 8113 2b098c2 SetServiceStatus 8112->8113 8113->8106 7986 2b035a5 7987 2b030fa 4 API calls 7986->7987 7989 2b035b3 7987->7989 7988 2b035ea 7989->7988 7993 2b0355d 7989->7993 7991 2b035da 7991->7988 7992 2b0355d 4 API calls 7991->7992 7992->7988 7994 2b0f04e 4 API calls 7993->7994 7995 2b0356a 7994->7995 7995->7991 7996 2b05029 8001 2b04a02 7996->8001 8002 2b04a12 8001->8002 8004 2b04a18 8001->8004 8003 2b0ec2e codecvt 4 API calls 8002->8003 8003->8004 8005 2b0ec2e codecvt 4 API calls 8004->8005 8007 2b04a26 8004->8007 8005->8007 8006 2b04a34 8007->8006 8008 2b0ec2e codecvt 4 API calls 8007->8008 8008->8006 6128 2b09a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6244 2b0ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6128->6244 6130 2b09a95 6131 2b09aa3 GetModuleHandleA GetModuleFileNameA 6130->6131 6136 2b0a3cc 6130->6136 6145 2b09ac4 6131->6145 6132 2b0a41c CreateThread WSAStartup 6245 2b0e52e 6132->6245 7319 2b0405e CreateEventA 6132->7319 6134 2b09afd GetCommandLineA 6143 2b09b22 6134->6143 6135 2b0a406 DeleteFileA 6135->6136 6137 2b0a40d 6135->6137 6136->6132 6136->6135 6136->6137 6140 2b0a3ed GetLastError 6136->6140 6137->6132 6138 2b0a445 6264 2b0eaaf 6138->6264 6140->6137 6142 2b0a3f8 Sleep 6140->6142 6141 2b0a44d 6268 2b01d96 6141->6268 6142->6135 6148 2b09c0c 6143->6148 6157 2b09b47 6143->6157 6145->6134 6146 2b0a457 6316 2b080c9 6146->6316 6508 2b096aa 6148->6508 6154 2b0a1d2 6165 2b0a1e3 GetCommandLineA 6154->6165 6155 2b09c39 6159 2b0a167 GetModuleHandleA GetModuleFileNameA 6155->6159 6514 2b04280 CreateEventA 6155->6514 6158 2b09b96 lstrlenA 6157->6158 6164 2b09b58 6157->6164 6158->6164 6162 2b09c05 ExitProcess 6159->6162 6163 2b0a189 6159->6163 6163->6162 6172 2b0a1b2 GetDriveTypeA 6163->6172 6164->6162 6467 2b0675c 6164->6467 6188 2b0a205 6165->6188 6172->6162 6174 2b0a1c5 6172->6174 6615 2b09145 GetModuleHandleA GetModuleFileNameA CharToOemA 6174->6615 6175 2b0675c 21 API calls 6177 2b09c79 6175->6177 6177->6159 6184 2b09ca0 GetTempPathA 6177->6184 6185 2b09e3e 6177->6185 6178 2b09bff 6178->6162 6180 2b0a491 6181 2b0a49f GetTickCount 6180->6181 6182 2b0a4be Sleep 6180->6182 6187 2b0a4b7 GetTickCount 6180->6187 6363 2b0c913 6180->6363 6181->6180 6181->6182 6182->6180 6184->6185 6186 2b09cba 6184->6186 6193 2b09e6b GetEnvironmentVariableA 6185->6193 6195 2b09e04 6185->6195 6540 2b099d2 lstrcpyA 6186->6540 6187->6182 6194 2b0a285 lstrlenA 6188->6194 6202 2b0a239 6188->6202 6193->6195 6196 2b09e7d 6193->6196 6194->6202 6610 2b0ec2e 6195->6610 6197 2b099d2 16 API calls 6196->6197 6199 2b09e9d 6197->6199 6199->6195 6204 2b09eb0 lstrcpyA lstrlenA 6199->6204 6200 2b09d5f 6554 2b06cc9 6200->6554 6623 2b06ec3 6202->6623 6203 2b0a3c2 6627 2b098f2 6203->6627 6207 2b09ef4 6204->6207 6208 2b06dc2 6 API calls 6207->6208 6212 2b09f03 6207->6212 6208->6212 6209 2b0a39d StartServiceCtrlDispatcherA 6209->6203 6210 2b09d72 lstrcpyA lstrcatA lstrcatA 6213 2b09cf6 6210->6213 6211 2b0a3c7 6211->6136 6214 2b09f32 RegOpenKeyExA 6212->6214 6563 2b09326 6213->6563 6216 2b09f70 6214->6216 6217 2b09f48 RegSetValueExA RegCloseKey 6214->6217 6215 2b0a35f 6215->6203 6215->6209 6225 2b09f9d GetModuleHandleA GetModuleFileNameA 6216->6225 6217->6216 6220 2b09dde GetFileAttributesExA 6222 2b09df7 6220->6222 6223 2b09e0c DeleteFileA 6220->6223 6222->6195 6600 2b096ff 6222->6600 6223->6185 6226 2b09fc2 6225->6226 6227 2b0a093 6225->6227 6226->6227 6233 2b09ff1 GetDriveTypeA 6226->6233 6228 2b0a103 CreateProcessA 6227->6228 6229 2b0a0a4 wsprintfA 6227->6229 6230 2b0a13a 6228->6230 6231 2b0a12a DeleteFileA 6228->6231 6606 2b02544 6229->6606 6230->6195 6237 2b096ff 3 API calls 6230->6237 6231->6230 6233->6227 6235 2b0a00d 6233->6235 6239 2b0a02d lstrcatA 6235->6239 6237->6195 6240 2b0a046 6239->6240 6241 2b0a052 lstrcatA 6240->6241 6242 2b0a064 lstrcatA 6240->6242 6241->6242 6242->6227 6243 2b0a081 lstrcatA 6242->6243 6243->6227 6244->6130 6634 2b0dd05 GetTickCount 6245->6634 6247 2b0e538 6642 2b0dbcf 6247->6642 6249 2b0e544 6250 2b0e555 GetFileSize 6249->6250 6254 2b0e5b8 6249->6254 6251 2b0e5b1 CloseHandle 6250->6251 6252 2b0e566 6250->6252 6251->6254 6666 2b0db2e 6252->6666 6652 2b0e3ca RegOpenKeyExA 6254->6652 6256 2b0e576 ReadFile 6256->6251 6257 2b0e58d 6256->6257 6670 2b0e332 6257->6670 6261 2b0e5f2 6262 2b0e3ca 19 API calls 6261->6262 6263 2b0e629 6261->6263 6262->6263 6263->6138 6265 2b0eabe 6264->6265 6267 2b0eaba 6264->6267 6266 2b0dd05 6 API calls 6265->6266 6265->6267 6266->6267 6267->6141 6269 2b0ee2a 6268->6269 6270 2b01db4 GetVersionExA 6269->6270 6271 2b01dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6270->6271 6273 2b01e24 6271->6273 6274 2b01e16 GetCurrentProcess 6271->6274 6728 2b0e819 6273->6728 6274->6273 6276 2b01e3d 6277 2b0e819 11 API calls 6276->6277 6278 2b01e4e 6277->6278 6286 2b01e77 6278->6286 6769 2b0df70 6278->6769 6281 2b01e6c 6283 2b0df70 12 API calls 6281->6283 6283->6286 6284 2b0e819 11 API calls 6285 2b01e93 6284->6285 6739 2b0199c inet_addr LoadLibraryA 6285->6739 6735 2b0ea84 6286->6735 6289 2b0e819 11 API calls 6290 2b01eb9 6289->6290 6291 2b01ed8 6290->6291 6292 2b0f04e 4 API calls 6290->6292 6293 2b0e819 11 API calls 6291->6293 6294 2b01ec9 6292->6294 6295 2b01eee 6293->6295 6297 2b0ea84 30 API calls 6294->6297 6296 2b01f0a 6295->6296 6753 2b01b71 6295->6753 6299 2b0e819 11 API calls 6296->6299 6297->6291 6301 2b01f23 6299->6301 6300 2b01efd 6302 2b0ea84 30 API calls 6300->6302 6303 2b01f3f 6301->6303 6757 2b01bdf 6301->6757 6302->6296 6305 2b0e819 11 API calls 6303->6305 6307 2b01f5e 6305->6307 6308 2b01f77 6307->6308 6310 2b0ea84 30 API calls 6307->6310 6765 2b030b5 6308->6765 6309 2b0ea84 30 API calls 6309->6303 6310->6308 6313 2b06ec3 2 API calls 6315 2b01f8e GetTickCount 6313->6315 6315->6146 6317 2b06ec3 2 API calls 6316->6317 6318 2b080eb 6317->6318 6319 2b080f9 6318->6319 6320 2b080ef 6318->6320 6836 2b0704c 6319->6836 6823 2b07ee6 6320->6823 6323 2b08269 CreateThread 6342 2b05e6c 6323->6342 7297 2b0877e 6323->7297 6324 2b080f4 6324->6323 6326 2b0675c 21 API calls 6324->6326 6325 2b08110 6325->6324 6327 2b08156 RegOpenKeyExA 6325->6327 6332 2b08244 6326->6332 6328 2b08216 6327->6328 6329 2b0816d RegQueryValueExA 6327->6329 6328->6324 6330 2b081f7 6329->6330 6331 2b0818d 6329->6331 6333 2b0820d RegCloseKey 6330->6333 6335 2b0ec2e codecvt 4 API calls 6330->6335 6331->6330 6336 2b0ebcc 4 API calls 6331->6336 6332->6323 6334 2b0ec2e codecvt 4 API calls 6332->6334 6333->6328 6334->6323 6341 2b081dd 6335->6341 6337 2b081a0 6336->6337 6337->6333 6338 2b081aa RegQueryValueExA 6337->6338 6338->6330 6339 2b081c4 6338->6339 6340 2b0ebcc 4 API calls 6339->6340 6340->6341 6341->6333 6938 2b0ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6342->6938 6344 2b05e71 6939 2b0e654 6344->6939 6346 2b05ec1 6347 2b03132 6346->6347 6348 2b0df70 12 API calls 6347->6348 6349 2b0313b 6348->6349 6350 2b0c125 6349->6350 6950 2b0ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6350->6950 6352 2b0c12d 6353 2b0e654 13 API calls 6352->6353 6354 2b0c2bd 6353->6354 6355 2b0e654 13 API calls 6354->6355 6356 2b0c2c9 6355->6356 6357 2b0e654 13 API calls 6356->6357 6358 2b0a47a 6357->6358 6359 2b08db1 6358->6359 6360 2b08dbc 6359->6360 6361 2b0e654 13 API calls 6360->6361 6362 2b08dec Sleep 6361->6362 6362->6180 6364 2b0c92f 6363->6364 6365 2b0c93c 6364->6365 6962 2b0c517 6364->6962 6367 2b0ca2b 6365->6367 6368 2b0e819 11 API calls 6365->6368 6367->6180 6369 2b0c96a 6368->6369 6370 2b0e819 11 API calls 6369->6370 6371 2b0c97d 6370->6371 6372 2b0e819 11 API calls 6371->6372 6373 2b0c990 6372->6373 6374 2b0c9aa 6373->6374 6375 2b0ebcc 4 API calls 6373->6375 6374->6367 6951 2b02684 6374->6951 6375->6374 6380 2b0ca26 6979 2b0c8aa 6380->6979 6383 2b0ca44 6384 2b0ca4b closesocket 6383->6384 6385 2b0ca83 6383->6385 6384->6380 6386 2b0ea84 30 API calls 6385->6386 6387 2b0caac 6386->6387 6388 2b0f04e 4 API calls 6387->6388 6389 2b0cab2 6388->6389 6390 2b0ea84 30 API calls 6389->6390 6391 2b0caca 6390->6391 6392 2b0ea84 30 API calls 6391->6392 6393 2b0cad9 6392->6393 6983 2b0c65c 6393->6983 6396 2b0cb60 closesocket 6396->6367 6398 2b0dad2 closesocket 6399 2b0e318 23 API calls 6398->6399 6400 2b0dae0 6399->6400 6400->6367 6401 2b0df4c 20 API calls 6405 2b0cb70 6401->6405 6405->6398 6405->6401 6407 2b0c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6405->6407 6409 2b0e654 13 API calls 6405->6409 6414 2b0ea84 30 API calls 6405->6414 6415 2b0d569 closesocket Sleep 6405->6415 6416 2b0d815 wsprintfA 6405->6416 6417 2b0cc1c GetTempPathA 6405->6417 6418 2b0c517 23 API calls 6405->6418 6420 2b0f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6405->6420 6421 2b0e8a1 30 API calls 6405->6421 6423 2b0cfe3 GetSystemDirectoryA 6405->6423 6424 2b0cfad GetEnvironmentVariableA 6405->6424 6425 2b0675c 21 API calls 6405->6425 6426 2b0d027 GetSystemDirectoryA 6405->6426 6427 2b0d105 lstrcatA 6405->6427 6428 2b0ef1e lstrlenA 6405->6428 6429 2b0cc9f CreateFileA 6405->6429 6430 2b0ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6405->6430 6432 2b08e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6405->6432 6433 2b0d15b CreateFileA 6405->6433 6438 2b0d149 SetFileAttributesA 6405->6438 6439 2b0d36e GetEnvironmentVariableA 6405->6439 6440 2b0d1bf SetFileAttributesA 6405->6440 6442 2b0d22d GetEnvironmentVariableA 6405->6442 6443 2b07ead 6 API calls 6405->6443 6445 2b0d3af lstrcatA 6405->6445 6446 2b0d3f2 CreateFileA 6405->6446 6448 2b07fcf 64 API calls 6405->6448 6454 2b0d3e0 SetFileAttributesA 6405->6454 6455 2b0d26e lstrcatA 6405->6455 6457 2b0d4b1 CreateProcessA 6405->6457 6458 2b0d2b1 CreateFileA 6405->6458 6460 2b0d452 SetFileAttributesA 6405->6460 6462 2b07ee6 64 API calls 6405->6462 6463 2b0d29f SetFileAttributesA 6405->6463 6466 2b0d31d SetFileAttributesA 6405->6466 6991 2b0c75d 6405->6991 7003 2b07e2f 6405->7003 7025 2b07ead 6405->7025 7035 2b031d0 6405->7035 7052 2b03c09 6405->7052 7062 2b03a00 6405->7062 7066 2b0e7b4 6405->7066 7069 2b0c06c 6405->7069 7075 2b06f5f GetUserNameA 6405->7075 7086 2b0e854 6405->7086 7096 2b07dd6 6405->7096 6407->6405 6409->6405 6414->6405 7030 2b0e318 6415->7030 6416->6405 6417->6405 6418->6405 6420->6405 6421->6405 6422 2b0d582 ExitProcess 6423->6405 6424->6405 6425->6405 6426->6405 6427->6405 6428->6405 6429->6405 6431 2b0ccc6 WriteFile 6429->6431 6430->6405 6434 2b0cdcc CloseHandle 6431->6434 6435 2b0cced CloseHandle 6431->6435 6432->6405 6433->6405 6436 2b0d182 WriteFile CloseHandle 6433->6436 6434->6405 6441 2b0cd2f 6435->6441 6436->6405 6437 2b0cd16 wsprintfA 6437->6441 6438->6433 6439->6405 6440->6405 6441->6437 7012 2b07fcf 6441->7012 6442->6405 6443->6405 6445->6405 6445->6446 6446->6405 6449 2b0d415 WriteFile CloseHandle 6446->6449 6448->6405 6449->6405 6450 2b0cd81 WaitForSingleObject CloseHandle CloseHandle 6452 2b0f04e 4 API calls 6450->6452 6451 2b0cda5 6453 2b07ee6 64 API calls 6451->6453 6452->6451 6456 2b0cdbd DeleteFileA 6453->6456 6454->6446 6455->6405 6455->6458 6456->6405 6457->6405 6459 2b0d4e8 CloseHandle CloseHandle 6457->6459 6458->6405 6461 2b0d2d8 WriteFile CloseHandle 6458->6461 6459->6405 6460->6405 6461->6405 6462->6405 6463->6458 6466->6405 6468 2b06784 CreateFileA 6467->6468 6469 2b0677a SetFileAttributesA 6467->6469 6470 2b067a4 CreateFileA 6468->6470 6471 2b067b5 6468->6471 6469->6468 6470->6471 6472 2b067c5 6471->6472 6473 2b067ba SetFileAttributesA 6471->6473 6474 2b06977 6472->6474 6475 2b067cf GetFileSize 6472->6475 6473->6472 6474->6162 6495 2b06a60 CreateFileA 6474->6495 6476 2b067e5 6475->6476 6477 2b06965 6475->6477 6476->6477 6478 2b067ed ReadFile 6476->6478 6479 2b0696e FindCloseChangeNotification 6477->6479 6478->6477 6480 2b06811 SetFilePointer 6478->6480 6479->6474 6480->6477 6481 2b0682a ReadFile 6480->6481 6481->6477 6482 2b06848 SetFilePointer 6481->6482 6482->6477 6483 2b06867 6482->6483 6484 2b068d5 6483->6484 6485 2b06878 ReadFile 6483->6485 6484->6479 6487 2b0ebcc 4 API calls 6484->6487 6486 2b068d0 6485->6486 6489 2b06891 6485->6489 6486->6484 6488 2b068f8 6487->6488 6488->6477 6490 2b06900 SetFilePointer 6488->6490 6489->6485 6489->6486 6491 2b0695a 6490->6491 6492 2b0690d ReadFile 6490->6492 6494 2b0ec2e codecvt 4 API calls 6491->6494 6492->6491 6493 2b06922 6492->6493 6493->6479 6494->6477 6496 2b06b8c GetLastError 6495->6496 6497 2b06a8f GetDiskFreeSpaceA 6495->6497 6499 2b06b86 6496->6499 6498 2b06ac5 6497->6498 6507 2b06ad7 6497->6507 7181 2b0eb0e 6498->7181 6499->6178 6503 2b06b56 CloseHandle 6503->6499 6506 2b06b65 GetLastError CloseHandle 6503->6506 6504 2b06b36 GetLastError CloseHandle 6505 2b06b7f DeleteFileA 6504->6505 6505->6499 6506->6505 7185 2b06987 6507->7185 6509 2b096b9 6508->6509 6510 2b073ff 17 API calls 6509->6510 6511 2b096e2 6510->6511 6512 2b096f7 6511->6512 6513 2b0704c 16 API calls 6511->6513 6512->6154 6512->6155 6513->6512 6515 2b042a5 6514->6515 6516 2b0429d 6514->6516 7191 2b03ecd 6515->7191 6516->6159 6516->6175 6518 2b042b0 7195 2b04000 6518->7195 6520 2b043c1 CloseHandle 6520->6516 6521 2b042b6 6521->6516 6521->6520 7201 2b03f18 WriteFile 6521->7201 6526 2b043ba CloseHandle 6526->6520 6527 2b04318 6528 2b03f18 4 API calls 6527->6528 6529 2b04331 6528->6529 6530 2b03f18 4 API calls 6529->6530 6531 2b0434a 6530->6531 6532 2b0ebcc 4 API calls 6531->6532 6533 2b04350 6532->6533 6534 2b03f18 4 API calls 6533->6534 6535 2b04389 6534->6535 6536 2b0ec2e codecvt 4 API calls 6535->6536 6537 2b0438f 6536->6537 6538 2b03f8c 4 API calls 6537->6538 6539 2b0439f CloseHandle CloseHandle 6538->6539 6539->6516 6541 2b099eb 6540->6541 6542 2b09a2f lstrcatA 6541->6542 6543 2b0ee2a 6542->6543 6544 2b09a4b lstrcatA 6543->6544 6545 2b06a60 13 API calls 6544->6545 6546 2b09a60 6545->6546 6546->6185 6546->6213 6547 2b06dc2 6546->6547 6548 2b06e33 6547->6548 6549 2b06dd7 6547->6549 6548->6200 6550 2b06cc9 5 API calls 6549->6550 6551 2b06ddc 6550->6551 6552 2b06e02 GetVolumeInformationA 6551->6552 6553 2b06e24 6551->6553 6552->6553 6553->6548 6555 2b06cdc GetModuleHandleA GetProcAddress 6554->6555 6562 2b06d8b 6554->6562 6556 2b06d12 GetSystemDirectoryA 6555->6556 6557 2b06cfd 6555->6557 6558 2b06d27 GetWindowsDirectoryA 6556->6558 6559 2b06d1e 6556->6559 6557->6556 6557->6562 6560 2b06d42 6558->6560 6559->6558 6559->6562 6561 2b0ef1e lstrlenA 6560->6561 6561->6562 6562->6210 7209 2b01910 6563->7209 6566 2b0934a GetModuleHandleA GetModuleFileNameA 6568 2b0937f 6566->6568 6569 2b093a4 6568->6569 6570 2b093d9 6568->6570 6571 2b093c3 wsprintfA 6569->6571 6572 2b09401 wsprintfA 6570->6572 6573 2b09415 6571->6573 6572->6573 6576 2b06cc9 5 API calls 6573->6576 6597 2b094a0 6573->6597 6574 2b06edd 5 API calls 6575 2b094ac 6574->6575 6577 2b0962f 6575->6577 6578 2b094e8 RegOpenKeyExA 6575->6578 6582 2b09439 6576->6582 6583 2b09646 6577->6583 7224 2b01820 6577->7224 6580 2b09502 6578->6580 6581 2b094fb 6578->6581 6586 2b0951f RegQueryValueExA 6580->6586 6581->6577 6585 2b0958a 6581->6585 6587 2b0ef1e lstrlenA 6582->6587 6592 2b095d6 6583->6592 7230 2b091eb 6583->7230 6585->6583 6588 2b09593 6585->6588 6589 2b09530 6586->6589 6590 2b09539 6586->6590 6591 2b09462 6587->6591 6588->6592 7211 2b0f0e4 6588->7211 6593 2b0956e RegCloseKey 6589->6593 6594 2b09556 RegQueryValueExA 6590->6594 6595 2b0947e wsprintfA 6591->6595 6592->6220 6592->6223 6593->6581 6594->6589 6594->6593 6595->6597 6597->6574 6598 2b095bb 6598->6592 7218 2b018e0 6598->7218 6601 2b02544 6600->6601 6602 2b0972d RegOpenKeyExA 6601->6602 6603 2b09740 6602->6603 6604 2b09765 6602->6604 6605 2b0974f RegDeleteValueA RegCloseKey 6603->6605 6604->6195 6605->6604 6607 2b02554 lstrcatA 6606->6607 6608 2b0ee2a 6607->6608 6609 2b0a0ec lstrcatA 6608->6609 6609->6228 6611 2b0ec37 6610->6611 6612 2b0a15d 6610->6612 6613 2b0eba0 codecvt 2 API calls 6611->6613 6612->6159 6612->6162 6614 2b0ec3d GetProcessHeap RtlFreeHeap 6613->6614 6614->6612 6616 2b02544 6615->6616 6617 2b0919e wsprintfA 6616->6617 6618 2b091bb 6617->6618 7268 2b09064 GetTempPathA 6618->7268 6621 2b091d5 ShellExecuteA 6622 2b091e7 6621->6622 6622->6178 6624 2b06ecc 6623->6624 6626 2b06ed5 6623->6626 6625 2b06e36 2 API calls 6624->6625 6625->6626 6626->6215 6628 2b098f6 6627->6628 6629 2b04280 30 API calls 6628->6629 6630 2b09904 Sleep 6628->6630 6631 2b09915 6628->6631 6629->6628 6630->6628 6630->6631 6633 2b09947 6631->6633 7275 2b0977c 6631->7275 6633->6211 6635 2b0dd41 InterlockedExchange 6634->6635 6636 2b0dd20 GetCurrentThreadId 6635->6636 6637 2b0dd4a 6635->6637 6638 2b0dd53 GetCurrentThreadId 6636->6638 6639 2b0dd2e GetTickCount 6636->6639 6637->6638 6638->6247 6640 2b0dd39 Sleep 6639->6640 6641 2b0dd4c 6639->6641 6640->6635 6641->6638 6643 2b0dbf0 6642->6643 6675 2b0db67 GetEnvironmentVariableA 6643->6675 6645 2b0dc19 6646 2b0dcda 6645->6646 6647 2b0db67 3 API calls 6645->6647 6646->6249 6648 2b0dc5c 6647->6648 6648->6646 6649 2b0db67 3 API calls 6648->6649 6650 2b0dc9b 6649->6650 6650->6646 6651 2b0db67 3 API calls 6650->6651 6651->6646 6653 2b0e528 6652->6653 6654 2b0e3f4 6652->6654 6653->6261 6655 2b0e434 RegQueryValueExA 6654->6655 6656 2b0e458 6655->6656 6657 2b0e51d RegCloseKey 6655->6657 6658 2b0e46e RegQueryValueExA 6656->6658 6657->6653 6658->6656 6659 2b0e488 6658->6659 6659->6657 6660 2b0db2e 8 API calls 6659->6660 6661 2b0e499 6660->6661 6661->6657 6662 2b0e4b9 RegQueryValueExA 6661->6662 6663 2b0e4e8 6661->6663 6662->6661 6662->6663 6663->6657 6664 2b0e332 14 API calls 6663->6664 6665 2b0e513 6664->6665 6665->6657 6667 2b0db55 6666->6667 6668 2b0db3a 6666->6668 6667->6251 6667->6256 6679 2b0ebed 6668->6679 6697 2b0f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6670->6697 6672 2b0e3be 6672->6251 6673 2b0e342 6673->6672 6700 2b0de24 6673->6700 6676 2b0dbca 6675->6676 6678 2b0db89 lstrcpyA CreateFileA 6675->6678 6676->6645 6678->6645 6680 2b0ec01 6679->6680 6681 2b0ebf6 6679->6681 6691 2b0eba0 6680->6691 6688 2b0ebcc GetProcessHeap RtlAllocateHeap 6681->6688 6689 2b0eb74 2 API calls 6688->6689 6690 2b0ebe8 6689->6690 6690->6667 6692 2b0eba7 GetProcessHeap HeapSize 6691->6692 6693 2b0ebbf GetProcessHeap RtlReAllocateHeap 6691->6693 6692->6693 6694 2b0eb74 6693->6694 6695 2b0eb7b GetProcessHeap HeapSize 6694->6695 6696 2b0eb93 6694->6696 6695->6696 6696->6667 6711 2b0eb41 6697->6711 6699 2b0f0b7 6699->6673 6701 2b0de3a 6700->6701 6707 2b0de4e 6701->6707 6720 2b0dd84 6701->6720 6704 2b0ebed 8 API calls 6709 2b0def6 6704->6709 6705 2b0de9e 6705->6704 6705->6707 6706 2b0de76 6724 2b0ddcf 6706->6724 6707->6673 6709->6707 6710 2b0ddcf lstrcmpA 6709->6710 6710->6707 6712 2b0eb61 6711->6712 6713 2b0eb4a 6711->6713 6712->6699 6716 2b0eae4 6713->6716 6715 2b0eb54 6715->6699 6715->6712 6717 2b0eb02 GetProcAddress 6716->6717 6718 2b0eaed LoadLibraryA 6716->6718 6717->6715 6718->6717 6719 2b0eb01 6718->6719 6719->6715 6721 2b0dd96 6720->6721 6722 2b0ddc5 6720->6722 6721->6722 6723 2b0ddad lstrcmpiA 6721->6723 6722->6705 6722->6706 6723->6721 6723->6722 6725 2b0de20 6724->6725 6726 2b0dddd 6724->6726 6725->6707 6726->6725 6727 2b0ddfa lstrcmpA 6726->6727 6727->6726 6729 2b0dd05 6 API calls 6728->6729 6730 2b0e821 6729->6730 6731 2b0dd84 lstrcmpiA 6730->6731 6732 2b0e82c 6731->6732 6733 2b0e844 6732->6733 6778 2b02480 6732->6778 6733->6276 6736 2b0ea98 6735->6736 6787 2b0e8a1 6736->6787 6738 2b01e84 6738->6284 6740 2b019d5 GetProcAddress GetProcAddress GetProcAddress 6739->6740 6741 2b019ce 6739->6741 6742 2b01ab3 FreeLibrary 6740->6742 6743 2b01a04 6740->6743 6741->6289 6742->6741 6743->6742 6744 2b01a14 GetBestInterface GetProcessHeap 6743->6744 6744->6741 6745 2b01a2e HeapAlloc 6744->6745 6745->6741 6746 2b01a42 GetAdaptersInfo 6745->6746 6747 2b01a62 6746->6747 6748 2b01a52 HeapReAlloc 6746->6748 6749 2b01aa1 FreeLibrary 6747->6749 6750 2b01a69 GetAdaptersInfo 6747->6750 6748->6747 6749->6741 6750->6749 6751 2b01a75 HeapFree 6750->6751 6751->6749 6815 2b01ac3 LoadLibraryA 6753->6815 6756 2b01bcf 6756->6300 6758 2b01ac3 13 API calls 6757->6758 6759 2b01c09 6758->6759 6760 2b01c5a 6759->6760 6761 2b01c0d GetComputerNameA 6759->6761 6760->6309 6762 2b01c45 GetVolumeInformationA 6761->6762 6763 2b01c1f 6761->6763 6762->6760 6763->6762 6764 2b01c41 6763->6764 6764->6760 6766 2b0ee2a 6765->6766 6767 2b030d0 gethostname gethostbyname 6766->6767 6768 2b01f82 6767->6768 6768->6313 6768->6315 6770 2b0dd05 6 API calls 6769->6770 6771 2b0df7c 6770->6771 6772 2b0dd84 lstrcmpiA 6771->6772 6773 2b0df89 6772->6773 6774 2b0dfc4 6773->6774 6775 2b0ddcf lstrcmpA 6773->6775 6776 2b0ec2e codecvt 4 API calls 6773->6776 6777 2b0dd84 lstrcmpiA 6773->6777 6774->6281 6775->6773 6776->6773 6777->6773 6781 2b02419 lstrlenA 6778->6781 6780 2b02491 6780->6733 6782 2b02474 6781->6782 6783 2b0243d lstrlenA 6781->6783 6782->6780 6784 2b02464 lstrlenA 6783->6784 6785 2b0244e lstrcmpiA 6783->6785 6784->6782 6784->6783 6785->6784 6786 2b0245c 6785->6786 6786->6782 6786->6784 6788 2b0dd05 6 API calls 6787->6788 6789 2b0e8b4 6788->6789 6790 2b0dd84 lstrcmpiA 6789->6790 6791 2b0e8c0 6790->6791 6792 2b0e8c8 lstrcpynA 6791->6792 6802 2b0e90a 6791->6802 6793 2b0e8f5 6792->6793 6808 2b0df4c 6793->6808 6794 2b02419 4 API calls 6795 2b0e926 lstrlenA lstrlenA 6794->6795 6797 2b0e94c lstrlenA 6795->6797 6799 2b0e96a 6795->6799 6797->6799 6798 2b0e901 6800 2b0dd84 lstrcmpiA 6798->6800 6801 2b0ebcc 4 API calls 6799->6801 6803 2b0ea27 6799->6803 6800->6802 6804 2b0e98f 6801->6804 6802->6794 6802->6803 6803->6738 6804->6803 6805 2b0df4c 20 API calls 6804->6805 6806 2b0ea1e 6805->6806 6807 2b0ec2e codecvt 4 API calls 6806->6807 6807->6803 6809 2b0dd05 6 API calls 6808->6809 6810 2b0df51 6809->6810 6811 2b0f04e 4 API calls 6810->6811 6812 2b0df58 6811->6812 6813 2b0de24 10 API calls 6812->6813 6814 2b0df63 6813->6814 6814->6798 6816 2b01ae2 GetProcAddress 6815->6816 6821 2b01b68 GetComputerNameA GetVolumeInformationA 6815->6821 6817 2b01af5 6816->6817 6816->6821 6818 2b01b1c GetAdaptersAddresses 6817->6818 6819 2b0ebed 8 API calls 6817->6819 6820 2b01b29 6817->6820 6818->6817 6818->6820 6819->6817 6820->6821 6822 2b0ec2e codecvt 4 API calls 6820->6822 6821->6756 6822->6821 6824 2b06ec3 2 API calls 6823->6824 6825 2b07ef4 6824->6825 6835 2b07fc9 6825->6835 6859 2b073ff 6825->6859 6827 2b07f16 6827->6835 6879 2b07809 GetUserNameA 6827->6879 6829 2b07f63 6829->6835 6903 2b0ef1e lstrlenA 6829->6903 6832 2b0ef1e lstrlenA 6833 2b07fb7 6832->6833 6905 2b07a95 RegOpenKeyExA 6833->6905 6835->6324 6837 2b07073 6836->6837 6838 2b070b9 RegOpenKeyExA 6837->6838 6839 2b070d0 6838->6839 6853 2b071b8 6838->6853 6840 2b06dc2 6 API calls 6839->6840 6843 2b070d5 6840->6843 6841 2b0719b RegEnumValueA 6842 2b071af RegCloseKey 6841->6842 6841->6843 6842->6853 6843->6841 6845 2b071d0 6843->6845 6936 2b0f1a5 lstrlenA 6843->6936 6846 2b07205 RegCloseKey 6845->6846 6847 2b07227 6845->6847 6846->6853 6848 2b072b8 ___ascii_stricmp 6847->6848 6849 2b0728e RegCloseKey 6847->6849 6850 2b072cd RegCloseKey 6848->6850 6851 2b072dd 6848->6851 6849->6853 6850->6853 6852 2b07311 RegCloseKey 6851->6852 6855 2b07335 6851->6855 6852->6853 6853->6325 6854 2b073d5 RegCloseKey 6856 2b073e4 6854->6856 6855->6854 6857 2b0737e GetFileAttributesExA 6855->6857 6858 2b07397 6855->6858 6857->6858 6858->6854 6860 2b0741b 6859->6860 6861 2b06dc2 6 API calls 6860->6861 6862 2b0743f 6861->6862 6863 2b07469 RegOpenKeyExA 6862->6863 6864 2b077f9 6863->6864 6874 2b07487 ___ascii_stricmp 6863->6874 6864->6827 6865 2b07703 RegEnumKeyA 6866 2b07714 RegCloseKey 6865->6866 6865->6874 6866->6864 6867 2b074d2 RegOpenKeyExA 6867->6874 6868 2b0772c 6870 2b07742 RegCloseKey 6868->6870 6871 2b0774b 6868->6871 6869 2b07521 RegQueryValueExA 6869->6874 6870->6871 6873 2b077ec RegCloseKey 6871->6873 6872 2b076e4 RegCloseKey 6872->6874 6873->6864 6874->6865 6874->6867 6874->6868 6874->6869 6874->6872 6875 2b07769 6874->6875 6877 2b0f1a5 lstrlenA 6874->6877 6878 2b0777e GetFileAttributesExA 6874->6878 6876 2b077e3 RegCloseKey 6875->6876 6876->6873 6877->6874 6878->6875 6880 2b0783d LookupAccountNameA 6879->6880 6886 2b07a8d 6879->6886 6881 2b07874 GetLengthSid GetFileSecurityA 6880->6881 6880->6886 6882 2b078a8 GetSecurityDescriptorOwner 6881->6882 6881->6886 6883 2b078c5 EqualSid 6882->6883 6884 2b0791d GetSecurityDescriptorDacl 6882->6884 6883->6884 6885 2b078dc LocalAlloc 6883->6885 6884->6886 6897 2b07941 6884->6897 6885->6884 6887 2b078ef InitializeSecurityDescriptor 6885->6887 6886->6829 6889 2b07916 LocalFree 6887->6889 6890 2b078fb SetSecurityDescriptorOwner 6887->6890 6888 2b0795b GetAce 6888->6897 6889->6884 6890->6889 6891 2b0790b SetFileSecurityA 6890->6891 6891->6889 6892 2b07980 EqualSid 6892->6897 6893 2b07a3d 6893->6886 6896 2b07a43 LocalAlloc 6893->6896 6894 2b079be EqualSid 6894->6897 6895 2b0799d DeleteAce 6895->6897 6896->6886 6898 2b07a56 InitializeSecurityDescriptor 6896->6898 6897->6886 6897->6888 6897->6892 6897->6893 6897->6894 6897->6895 6899 2b07a62 SetSecurityDescriptorDacl 6898->6899 6900 2b07a86 LocalFree 6898->6900 6899->6900 6901 2b07a73 SetFileSecurityA 6899->6901 6900->6886 6901->6900 6902 2b07a83 6901->6902 6902->6900 6904 2b07fa6 6903->6904 6904->6832 6906 2b07acb GetUserNameA 6905->6906 6907 2b07ac4 6905->6907 6908 2b07da7 RegCloseKey 6906->6908 6909 2b07aed LookupAccountNameA 6906->6909 6907->6835 6908->6907 6909->6908 6910 2b07b24 RegGetKeySecurity 6909->6910 6910->6908 6911 2b07b49 GetSecurityDescriptorOwner 6910->6911 6912 2b07b63 EqualSid 6911->6912 6913 2b07bb8 GetSecurityDescriptorDacl 6911->6913 6912->6913 6914 2b07b74 LocalAlloc 6912->6914 6915 2b07da6 6913->6915 6922 2b07bdc 6913->6922 6914->6913 6916 2b07b8a InitializeSecurityDescriptor 6914->6916 6915->6908 6917 2b07bb1 LocalFree 6916->6917 6918 2b07b96 SetSecurityDescriptorOwner 6916->6918 6917->6913 6918->6917 6920 2b07ba6 RegSetKeySecurity 6918->6920 6919 2b07bf8 GetAce 6919->6922 6920->6917 6921 2b07c1d EqualSid 6921->6922 6922->6915 6922->6919 6922->6921 6923 2b07c5f EqualSid 6922->6923 6924 2b07cd9 6922->6924 6925 2b07c3a DeleteAce 6922->6925 6923->6922 6924->6915 6926 2b07d5a LocalAlloc 6924->6926 6927 2b07cf2 RegOpenKeyExA 6924->6927 6925->6922 6926->6915 6928 2b07d70 InitializeSecurityDescriptor 6926->6928 6927->6926 6933 2b07d0f 6927->6933 6929 2b07d7c SetSecurityDescriptorDacl 6928->6929 6930 2b07d9f LocalFree 6928->6930 6929->6930 6931 2b07d8c RegSetKeySecurity 6929->6931 6930->6915 6931->6930 6932 2b07d9c 6931->6932 6932->6930 6934 2b07d43 RegSetValueExA 6933->6934 6934->6926 6935 2b07d54 6934->6935 6935->6926 6937 2b0f1c3 6936->6937 6937->6843 6938->6344 6940 2b0dd05 6 API calls 6939->6940 6943 2b0e65f 6940->6943 6941 2b0e6a5 6942 2b0ebcc 4 API calls 6941->6942 6948 2b0e6f5 6941->6948 6945 2b0e6b0 6942->6945 6943->6941 6944 2b0e68c lstrcmpA 6943->6944 6944->6943 6946 2b0e6b7 6945->6946 6947 2b0e6e0 lstrcpynA 6945->6947 6945->6948 6946->6346 6947->6948 6948->6946 6949 2b0e71d lstrcmpA 6948->6949 6949->6948 6950->6352 6952 2b02692 inet_addr 6951->6952 6954 2b0268e 6951->6954 6953 2b0269e gethostbyname 6952->6953 6952->6954 6953->6954 6955 2b0f428 6954->6955 7103 2b0f315 6955->7103 6958 2b0f43e 6959 2b0f473 recv 6958->6959 6960 2b0f458 6959->6960 6961 2b0f47c 6959->6961 6960->6959 6960->6961 6961->6383 6963 2b0c525 6962->6963 6964 2b0c532 6962->6964 6963->6964 6968 2b0ec2e codecvt 4 API calls 6963->6968 6965 2b0c548 6964->6965 7116 2b0e7ff 6964->7116 6966 2b0c54f 6965->6966 6969 2b0e7ff lstrcmpiA 6965->6969 6966->6365 6968->6964 6971 2b0c615 6969->6971 6971->6966 6972 2b0ebcc 4 API calls 6971->6972 6972->6966 6973 2b0c5d1 6974 2b0ebcc 4 API calls 6973->6974 6974->6966 6975 2b0e819 11 API calls 6976 2b0c5b7 6975->6976 6977 2b0f04e 4 API calls 6976->6977 6978 2b0c5bf 6977->6978 6978->6965 6978->6973 6981 2b0c8d2 6979->6981 6980 2b0c907 6980->6367 6981->6980 6982 2b0c517 23 API calls 6981->6982 6982->6980 6984 2b0c670 6983->6984 6985 2b0c67d 6983->6985 6986 2b0ebcc 4 API calls 6984->6986 6987 2b0ebcc 4 API calls 6985->6987 6988 2b0c699 6985->6988 6986->6985 6987->6988 6989 2b0c6f3 6988->6989 6990 2b0c73c send 6988->6990 6989->6396 6989->6405 6990->6989 6992 2b0c770 6991->6992 6993 2b0c77d 6991->6993 6994 2b0ebcc 4 API calls 6992->6994 6995 2b0c799 6993->6995 6996 2b0ebcc 4 API calls 6993->6996 6994->6993 6997 2b0c7b5 6995->6997 6998 2b0ebcc 4 API calls 6995->6998 6996->6995 6999 2b0f43e recv 6997->6999 6998->6997 7000 2b0c7cb 6999->7000 7001 2b0c7d3 7000->7001 7002 2b0f43e recv 7000->7002 7001->6405 7002->7001 7119 2b07db7 7003->7119 7006 2b07e96 7006->6405 7007 2b0f04e 4 API calls 7009 2b07e4c 7007->7009 7008 2b0f04e 4 API calls 7008->7006 7010 2b0f04e 4 API calls 7009->7010 7011 2b07e70 7009->7011 7010->7011 7011->7006 7011->7008 7013 2b06ec3 2 API calls 7012->7013 7014 2b07fdd 7013->7014 7015 2b080c2 CreateProcessA 7014->7015 7016 2b073ff 17 API calls 7014->7016 7015->6450 7015->6451 7017 2b07fff 7016->7017 7017->7015 7018 2b07809 21 API calls 7017->7018 7019 2b0804d 7018->7019 7019->7015 7020 2b0ef1e lstrlenA 7019->7020 7021 2b0809e 7020->7021 7022 2b0ef1e lstrlenA 7021->7022 7023 2b080af 7022->7023 7024 2b07a95 24 API calls 7023->7024 7024->7015 7026 2b07db7 2 API calls 7025->7026 7027 2b07eb8 7026->7027 7028 2b0f04e 4 API calls 7027->7028 7029 2b07ece DeleteFileA 7028->7029 7029->6405 7031 2b0dd05 6 API calls 7030->7031 7032 2b0e31d 7031->7032 7123 2b0e177 7032->7123 7034 2b0e326 7034->6422 7036 2b031f3 7035->7036 7046 2b031ec 7035->7046 7037 2b0ebcc 4 API calls 7036->7037 7051 2b031fc 7037->7051 7038 2b0344b 7039 2b03459 7038->7039 7040 2b0349d 7038->7040 7042 2b0f04e 4 API calls 7039->7042 7041 2b0ec2e codecvt 4 API calls 7040->7041 7041->7046 7043 2b0345f 7042->7043 7045 2b030fa 4 API calls 7043->7045 7044 2b0ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7044->7051 7045->7046 7046->6405 7047 2b0344d 7048 2b0ec2e codecvt 4 API calls 7047->7048 7048->7038 7050 2b03141 lstrcmpiA 7050->7051 7051->7038 7051->7044 7051->7046 7051->7047 7051->7050 7149 2b030fa GetTickCount 7051->7149 7053 2b030fa 4 API calls 7052->7053 7054 2b03c1a 7053->7054 7055 2b03ce6 7054->7055 7154 2b03a72 7054->7154 7055->6405 7058 2b03a72 9 API calls 7060 2b03c5e 7058->7060 7059 2b03a72 9 API calls 7059->7060 7060->7055 7060->7059 7061 2b0ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7060->7061 7061->7060 7063 2b03a10 7062->7063 7064 2b030fa 4 API calls 7063->7064 7065 2b03a1a 7064->7065 7065->6405 7067 2b0dd05 6 API calls 7066->7067 7068 2b0e7be 7067->7068 7068->6405 7070 2b0c105 7069->7070 7071 2b0c07e wsprintfA 7069->7071 7070->6405 7163 2b0bfce GetTickCount wsprintfA 7071->7163 7073 2b0c0ef 7164 2b0bfce GetTickCount wsprintfA 7073->7164 7076 2b07047 7075->7076 7077 2b06f88 LookupAccountNameA 7075->7077 7076->6405 7079 2b07025 7077->7079 7080 2b06fcb 7077->7080 7165 2b06edd 7079->7165 7083 2b06fdb ConvertSidToStringSidA 7080->7083 7083->7079 7084 2b06ff1 7083->7084 7085 2b07013 LocalFree 7084->7085 7085->7079 7087 2b0dd05 6 API calls 7086->7087 7088 2b0e85c 7087->7088 7089 2b0dd84 lstrcmpiA 7088->7089 7090 2b0e867 7089->7090 7091 2b0e885 lstrcpyA 7090->7091 7176 2b024a5 7090->7176 7179 2b0dd69 7091->7179 7097 2b07db7 2 API calls 7096->7097 7098 2b07de1 7097->7098 7099 2b0f04e 4 API calls 7098->7099 7102 2b07e16 7098->7102 7100 2b07df2 7099->7100 7101 2b0f04e 4 API calls 7100->7101 7100->7102 7101->7102 7102->6405 7104 2b0ca1d 7103->7104 7105 2b0f33b 7103->7105 7104->6380 7104->6958 7106 2b0f347 htons socket 7105->7106 7107 2b0f382 ioctlsocket 7106->7107 7108 2b0f374 closesocket 7106->7108 7109 2b0f3aa connect select 7107->7109 7110 2b0f39d 7107->7110 7108->7104 7109->7104 7112 2b0f3f2 __WSAFDIsSet 7109->7112 7111 2b0f39f closesocket 7110->7111 7111->7104 7112->7111 7113 2b0f403 ioctlsocket 7112->7113 7115 2b0f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7113->7115 7115->7104 7117 2b0dd84 lstrcmpiA 7116->7117 7118 2b0c58e 7117->7118 7118->6965 7118->6973 7118->6975 7120 2b07dc8 InterlockedExchange 7119->7120 7121 2b07dc0 Sleep 7120->7121 7122 2b07dd4 7120->7122 7121->7120 7122->7007 7122->7011 7124 2b0e184 7123->7124 7125 2b0e2e4 7124->7125 7126 2b0e223 7124->7126 7139 2b0dfe2 7124->7139 7125->7034 7126->7125 7128 2b0dfe2 8 API calls 7126->7128 7132 2b0e23c 7128->7132 7129 2b0e1be 7129->7126 7130 2b0dbcf 3 API calls 7129->7130 7133 2b0e1d6 7130->7133 7131 2b0e21a CloseHandle 7131->7126 7132->7125 7143 2b0e095 RegCreateKeyExA 7132->7143 7133->7126 7133->7131 7134 2b0e1f9 WriteFile 7133->7134 7134->7131 7136 2b0e213 7134->7136 7136->7131 7137 2b0e2a3 7137->7125 7138 2b0e095 4 API calls 7137->7138 7138->7125 7140 2b0dffc 7139->7140 7142 2b0e024 7139->7142 7141 2b0db2e 8 API calls 7140->7141 7140->7142 7141->7142 7142->7129 7144 2b0e172 7143->7144 7145 2b0e0c0 7143->7145 7144->7137 7147 2b0e115 RegSetValueExA 7145->7147 7148 2b0e13d 7145->7148 7146 2b0e14e RegDeleteValueA RegCloseKey 7146->7144 7147->7145 7147->7148 7148->7146 7150 2b03122 InterlockedExchange 7149->7150 7151 2b0312e 7150->7151 7152 2b0310f GetTickCount 7150->7152 7151->7051 7152->7151 7153 2b0311a Sleep 7152->7153 7153->7150 7155 2b0f04e 4 API calls 7154->7155 7156 2b03a83 7155->7156 7157 2b03bc0 7156->7157 7161 2b03b66 lstrlenA 7156->7161 7162 2b03ac1 7156->7162 7158 2b03be6 7157->7158 7159 2b0ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7157->7159 7160 2b0ec2e codecvt 4 API calls 7158->7160 7159->7157 7160->7162 7161->7156 7161->7162 7162->7055 7162->7058 7163->7073 7164->7070 7166 2b06eef AllocateAndInitializeSid 7165->7166 7172 2b06f55 wsprintfA 7165->7172 7167 2b06f44 7166->7167 7168 2b06f1c CheckTokenMembership 7166->7168 7167->7172 7173 2b06e36 GetUserNameW 7167->7173 7169 2b06f3b FreeSid 7168->7169 7170 2b06f2e 7168->7170 7169->7167 7170->7169 7172->7076 7174 2b06e97 7173->7174 7175 2b06e5f LookupAccountNameW 7173->7175 7174->7172 7175->7174 7177 2b02419 4 API calls 7176->7177 7178 2b024b6 7177->7178 7178->7091 7180 2b0dd79 lstrlenA 7179->7180 7180->6405 7182 2b0eb17 7181->7182 7183 2b0eb21 7181->7183 7184 2b0eae4 2 API calls 7182->7184 7183->6507 7184->7183 7187 2b069b9 WriteFile 7185->7187 7188 2b06a3c 7187->7188 7190 2b069ff 7187->7190 7188->6503 7188->6504 7189 2b06a10 WriteFile 7189->7188 7189->7190 7190->7188 7190->7189 7192 2b03edc 7191->7192 7194 2b03ee2 7191->7194 7193 2b06dc2 6 API calls 7192->7193 7193->7194 7194->6518 7196 2b0400b CreateFileA 7195->7196 7197 2b0402c GetLastError 7196->7197 7198 2b04052 7196->7198 7197->7198 7199 2b04037 7197->7199 7198->6521 7199->7198 7200 2b04041 Sleep 7199->7200 7200->7196 7200->7198 7202 2b03f7c 7201->7202 7203 2b03f4e GetLastError 7201->7203 7205 2b03f8c ReadFile 7202->7205 7203->7202 7204 2b03f5b WaitForSingleObject GetOverlappedResult 7203->7204 7204->7202 7206 2b03fc2 GetLastError 7205->7206 7207 2b03ff0 7205->7207 7206->7207 7208 2b03fcf WaitForSingleObject GetOverlappedResult 7206->7208 7207->6526 7207->6527 7208->7207 7210 2b01924 GetVersionExA 7209->7210 7210->6566 7212 2b0f0f1 7211->7212 7213 2b0f0ed 7211->7213 7214 2b0f119 7212->7214 7215 2b0f0fa lstrlenA SysAllocStringByteLen 7212->7215 7213->6598 7216 2b0f11c MultiByteToWideChar 7214->7216 7215->7216 7217 2b0f117 7215->7217 7216->7217 7217->6598 7219 2b01820 17 API calls 7218->7219 7220 2b018f2 7219->7220 7221 2b018f9 7220->7221 7235 2b01280 7220->7235 7221->6592 7223 2b01908 7223->6592 7247 2b01000 7224->7247 7226 2b01839 7227 2b01851 GetCurrentProcess 7226->7227 7228 2b0183d 7226->7228 7229 2b01864 7227->7229 7228->6583 7229->6583 7231 2b09308 7230->7231 7233 2b0920e 7230->7233 7231->6592 7232 2b092f1 Sleep 7232->7233 7233->7231 7233->7232 7234 2b092bf ShellExecuteA 7233->7234 7234->7231 7234->7233 7236 2b012e1 7235->7236 7237 2b016f9 GetLastError 7236->7237 7239 2b013a8 7236->7239 7238 2b01699 7237->7238 7238->7223 7239->7238 7240 2b01570 lstrlenW 7239->7240 7241 2b015be GetStartupInfoW 7239->7241 7242 2b015ff CreateProcessWithLogonW 7239->7242 7246 2b01668 CloseHandle 7239->7246 7240->7239 7241->7239 7243 2b016bf GetLastError 7242->7243 7244 2b0163f WaitForSingleObject 7242->7244 7243->7238 7244->7239 7245 2b01659 CloseHandle 7244->7245 7245->7239 7246->7239 7248 2b0100d LoadLibraryA 7247->7248 7254 2b01023 7247->7254 7250 2b01021 7248->7250 7248->7254 7249 2b010b5 GetProcAddress 7251 2b010d1 GetProcAddress 7249->7251 7252 2b0127b 7249->7252 7250->7226 7251->7252 7253 2b010f0 GetProcAddress 7251->7253 7252->7226 7253->7252 7255 2b01110 GetProcAddress 7253->7255 7254->7249 7267 2b010ae 7254->7267 7255->7252 7256 2b01130 GetProcAddress 7255->7256 7256->7252 7257 2b0114f GetProcAddress 7256->7257 7257->7252 7258 2b0116f GetProcAddress 7257->7258 7258->7252 7259 2b0118f GetProcAddress 7258->7259 7259->7252 7260 2b011ae GetProcAddress 7259->7260 7260->7252 7261 2b011ce GetProcAddress 7260->7261 7261->7252 7262 2b011ee GetProcAddress 7261->7262 7262->7252 7263 2b01209 GetProcAddress 7262->7263 7263->7252 7264 2b01225 GetProcAddress 7263->7264 7264->7252 7265 2b01241 GetProcAddress 7264->7265 7265->7252 7266 2b0125c GetProcAddress 7265->7266 7266->7252 7267->7226 7269 2b0908d 7268->7269 7270 2b090e2 wsprintfA 7269->7270 7271 2b0ee2a 7270->7271 7272 2b090fd CreateFileA 7271->7272 7273 2b0911a lstrlenA WriteFile CloseHandle 7272->7273 7274 2b0913f 7272->7274 7273->7274 7274->6621 7274->6622 7276 2b0ee2a 7275->7276 7277 2b09794 CreateProcessA 7276->7277 7278 2b097bb 7277->7278 7279 2b097c2 7277->7279 7278->6633 7280 2b097d4 GetThreadContext 7279->7280 7281 2b09801 7280->7281 7282 2b097f5 7280->7282 7289 2b0637c 7281->7289 7284 2b097f6 TerminateProcess 7282->7284 7284->7278 7285 2b09816 7285->7284 7286 2b0981e WriteProcessMemory 7285->7286 7286->7282 7287 2b0983b SetThreadContext 7286->7287 7287->7282 7288 2b09858 ResumeThread 7287->7288 7288->7278 7290 2b06386 7289->7290 7291 2b0638a GetModuleHandleA VirtualAlloc 7289->7291 7290->7285 7292 2b063f5 7291->7292 7293 2b063b6 7291->7293 7292->7285 7294 2b063be VirtualAllocEx 7293->7294 7294->7292 7295 2b063d6 7294->7295 7296 2b063df WriteProcessMemory 7295->7296 7296->7292 7298 2b08791 7297->7298 7299 2b0879f 7297->7299 7300 2b0f04e 4 API calls 7298->7300 7301 2b087bc 7299->7301 7302 2b0f04e 4 API calls 7299->7302 7300->7299 7303 2b0e819 11 API calls 7301->7303 7302->7301 7304 2b087d7 7303->7304 7317 2b08803 7304->7317 7452 2b026b2 gethostbyaddr 7304->7452 7307 2b087eb 7309 2b0e8a1 30 API calls 7307->7309 7307->7317 7309->7317 7312 2b0f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7312->7317 7313 2b0e819 11 API calls 7313->7317 7314 2b088a0 Sleep 7314->7317 7316 2b026b2 2 API calls 7316->7317 7317->7312 7317->7313 7317->7314 7317->7316 7318 2b0e8a1 30 API calls 7317->7318 7349 2b08cee 7317->7349 7357 2b0c4d6 7317->7357 7360 2b0c4e2 7317->7360 7363 2b02011 7317->7363 7398 2b08328 7317->7398 7318->7317 7320 2b04084 7319->7320 7321 2b0407d 7319->7321 7322 2b03ecd 6 API calls 7320->7322 7323 2b0408f 7322->7323 7324 2b04000 3 API calls 7323->7324 7325 2b04095 7324->7325 7326 2b04130 7325->7326 7327 2b040c0 7325->7327 7328 2b03ecd 6 API calls 7326->7328 7332 2b03f18 4 API calls 7327->7332 7329 2b04159 CreateNamedPipeA 7328->7329 7330 2b04167 Sleep 7329->7330 7331 2b04188 ConnectNamedPipe 7329->7331 7330->7326 7334 2b04176 CloseHandle 7330->7334 7333 2b04195 GetLastError 7331->7333 7344 2b041ab 7331->7344 7335 2b040da 7332->7335 7337 2b0425e DisconnectNamedPipe 7333->7337 7333->7344 7334->7331 7336 2b03f8c 4 API calls 7335->7336 7338 2b040ec 7336->7338 7337->7331 7339 2b04127 CloseHandle 7338->7339 7340 2b04101 7338->7340 7339->7326 7341 2b03f18 4 API calls 7340->7341 7342 2b0411c ExitProcess 7341->7342 7343 2b03f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7343->7344 7344->7331 7344->7337 7344->7343 7345 2b03f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7344->7345 7346 2b0426a CloseHandle CloseHandle 7344->7346 7345->7344 7347 2b0e318 23 API calls 7346->7347 7348 2b0427b 7347->7348 7348->7348 7350 2b08d02 GetTickCount 7349->7350 7351 2b08dae 7349->7351 7350->7351 7352 2b08d19 7350->7352 7351->7317 7353 2b08da1 GetTickCount 7352->7353 7356 2b08d89 7352->7356 7457 2b0a677 7352->7457 7460 2b0a688 7352->7460 7353->7351 7356->7353 7468 2b0c2dc 7357->7468 7361 2b0c2dc 142 API calls 7360->7361 7362 2b0c4ec 7361->7362 7362->7317 7364 2b02020 7363->7364 7365 2b0202e 7363->7365 7366 2b0f04e 4 API calls 7364->7366 7367 2b0204b 7365->7367 7368 2b0f04e 4 API calls 7365->7368 7366->7365 7369 2b0206e GetTickCount 7367->7369 7371 2b0f04e 4 API calls 7367->7371 7368->7367 7370 2b020db GetTickCount 7369->7370 7380 2b02090 7369->7380 7373 2b02132 GetTickCount GetTickCount 7370->7373 7381 2b020e7 7370->7381 7374 2b02068 7371->7374 7372 2b020d4 GetTickCount 7372->7370 7375 2b0f04e 4 API calls 7373->7375 7374->7369 7378 2b02159 7375->7378 7376 2b0212b GetTickCount 7376->7373 7377 2b02684 2 API calls 7377->7380 7383 2b0e854 13 API calls 7378->7383 7391 2b021b4 7378->7391 7380->7372 7380->7377 7386 2b020ce 7380->7386 7808 2b01978 7380->7808 7381->7376 7389 2b01978 15 API calls 7381->7389 7393 2b02125 7381->7393 7798 2b02ef8 7381->7798 7382 2b0f04e 4 API calls 7385 2b021d1 7382->7385 7387 2b0218e 7383->7387 7390 2b0ea84 30 API calls 7385->7390 7397 2b021f2 7385->7397 7386->7372 7388 2b0e819 11 API calls 7387->7388 7392 2b0219c 7388->7392 7389->7381 7394 2b021ec 7390->7394 7391->7382 7392->7391 7813 2b01c5f 7392->7813 7393->7376 7395 2b0f04e 4 API calls 7394->7395 7395->7397 7397->7317 7399 2b07dd6 6 API calls 7398->7399 7400 2b0833c 7399->7400 7401 2b06ec3 2 API calls 7400->7401 7429 2b08340 7400->7429 7402 2b0834f 7401->7402 7403 2b0835c 7402->7403 7406 2b0846b 7402->7406 7404 2b073ff 17 API calls 7403->7404 7426 2b08373 7404->7426 7405 2b085df 7407 2b08626 GetTempPathA 7405->7407 7419 2b08768 7405->7419 7430 2b08671 7405->7430 7409 2b084a7 RegOpenKeyExA 7406->7409 7422 2b08450 7406->7422 7420 2b08638 7407->7420 7408 2b0675c 21 API calls 7408->7405 7411 2b084c0 RegQueryValueExA 7409->7411 7412 2b0852f 7409->7412 7414 2b08521 RegCloseKey 7411->7414 7415 2b084dd 7411->7415 7417 2b08564 RegOpenKeyExA 7412->7417 7433 2b085a5 7412->7433 7413 2b086ad 7416 2b08762 7413->7416 7418 2b07e2f 6 API calls 7413->7418 7414->7412 7415->7414 7423 2b0ebcc 4 API calls 7415->7423 7416->7419 7421 2b08573 RegSetValueExA RegCloseKey 7417->7421 7417->7433 7434 2b086bb 7418->7434 7425 2b0ec2e codecvt 4 API calls 7419->7425 7419->7429 7420->7430 7421->7433 7422->7405 7422->7408 7428 2b084f0 7423->7428 7424 2b0875b DeleteFileA 7424->7416 7425->7429 7426->7422 7426->7429 7431 2b083ea RegOpenKeyExA 7426->7431 7428->7414 7432 2b084f8 RegQueryValueExA 7428->7432 7429->7317 7885 2b06ba7 IsBadCodePtr 7430->7885 7431->7422 7435 2b083fd RegQueryValueExA 7431->7435 7432->7414 7436 2b08515 7432->7436 7433->7422 7437 2b0ec2e codecvt 4 API calls 7433->7437 7434->7424 7438 2b086e0 lstrcpyA lstrlenA 7434->7438 7439 2b0842d RegSetValueExA 7435->7439 7440 2b0841e 7435->7440 7441 2b0ec2e codecvt 4 API calls 7436->7441 7437->7422 7442 2b07fcf 64 API calls 7438->7442 7443 2b08447 RegCloseKey 7439->7443 7440->7439 7440->7443 7444 2b0851d 7441->7444 7445 2b08719 CreateProcessA 7442->7445 7443->7422 7444->7414 7446 2b0873d CloseHandle CloseHandle 7445->7446 7447 2b0874f 7445->7447 7446->7419 7448 2b07ee6 64 API calls 7447->7448 7449 2b08754 7448->7449 7450 2b07ead 6 API calls 7449->7450 7451 2b0875a 7450->7451 7451->7424 7453 2b026fb 7452->7453 7454 2b026cd 7452->7454 7453->7307 7455 2b026e1 inet_ntoa 7454->7455 7456 2b026de 7454->7456 7455->7456 7456->7307 7463 2b0a63d 7457->7463 7459 2b0a685 7459->7352 7461 2b0a63d GetTickCount 7460->7461 7462 2b0a696 7461->7462 7462->7352 7464 2b0a645 7463->7464 7465 2b0a64d 7463->7465 7464->7459 7466 2b0a65e GetTickCount 7465->7466 7467 2b0a66e 7465->7467 7466->7467 7467->7459 7485 2b0a4c7 GetTickCount 7468->7485 7471 2b0c47a 7476 2b0c4d2 7471->7476 7477 2b0c4ab InterlockedIncrement CreateThread 7471->7477 7472 2b0c300 GetTickCount 7474 2b0c337 7472->7474 7473 2b0c326 7473->7474 7475 2b0c32b GetTickCount 7473->7475 7474->7471 7479 2b0c363 GetTickCount 7474->7479 7475->7474 7476->7317 7477->7476 7478 2b0c4cb CloseHandle 7477->7478 7490 2b0b535 7477->7490 7478->7476 7479->7471 7480 2b0c373 7479->7480 7481 2b0c378 GetTickCount 7480->7481 7482 2b0c37f 7480->7482 7481->7482 7483 2b0c43b GetTickCount 7482->7483 7484 2b0c45e 7483->7484 7484->7471 7486 2b0a4f7 InterlockedExchange 7485->7486 7487 2b0a500 7486->7487 7488 2b0a4e4 GetTickCount 7486->7488 7487->7471 7487->7472 7487->7473 7488->7487 7489 2b0a4ef Sleep 7488->7489 7489->7486 7491 2b0b566 7490->7491 7492 2b0ebcc 4 API calls 7491->7492 7493 2b0b587 7492->7493 7494 2b0ebcc 4 API calls 7493->7494 7544 2b0b590 7494->7544 7495 2b0bdcd InterlockedDecrement 7496 2b0bde2 7495->7496 7498 2b0ec2e codecvt 4 API calls 7496->7498 7499 2b0bdea 7498->7499 7500 2b0ec2e codecvt 4 API calls 7499->7500 7502 2b0bdf2 7500->7502 7501 2b0bdb7 Sleep 7501->7544 7503 2b0be05 7502->7503 7505 2b0ec2e codecvt 4 API calls 7502->7505 7504 2b0bdcc 7504->7495 7505->7503 7506 2b0ebed 8 API calls 7506->7544 7509 2b0b6b6 lstrlenA 7509->7544 7510 2b030b5 2 API calls 7510->7544 7511 2b0b6ed lstrcpyA 7565 2b05ce1 7511->7565 7512 2b0e819 11 API calls 7512->7544 7515 2b0b731 lstrlenA 7515->7544 7516 2b0b71f lstrcmpA 7516->7515 7516->7544 7517 2b0b772 GetTickCount 7517->7544 7518 2b0bd49 InterlockedIncrement 7659 2b0a628 7518->7659 7521 2b0bc5b InterlockedIncrement 7521->7544 7522 2b0b7ce InterlockedIncrement 7575 2b0acd7 7522->7575 7525 2b0b912 GetTickCount 7525->7544 7526 2b0b826 InterlockedIncrement 7526->7517 7527 2b0b932 GetTickCount 7529 2b0bc6d InterlockedIncrement 7527->7529 7527->7544 7528 2b0bcdc closesocket 7528->7544 7529->7544 7530 2b038f0 6 API calls 7530->7544 7534 2b0bba6 InterlockedIncrement 7534->7544 7536 2b0bc4c closesocket 7536->7544 7538 2b05ce1 22 API calls 7538->7544 7539 2b0ba71 wsprintfA 7593 2b0a7c1 7539->7593 7540 2b0ab81 lstrcpynA InterlockedIncrement 7540->7544 7542 2b0a7c1 22 API calls 7542->7544 7543 2b0ef1e lstrlenA 7543->7544 7544->7495 7544->7501 7544->7504 7544->7506 7544->7509 7544->7510 7544->7511 7544->7512 7544->7515 7544->7516 7544->7517 7544->7518 7544->7521 7544->7522 7544->7525 7544->7526 7544->7527 7544->7528 7544->7530 7544->7534 7544->7536 7544->7538 7544->7539 7544->7540 7544->7542 7544->7543 7545 2b05ded 12 API calls 7544->7545 7546 2b0a688 GetTickCount 7544->7546 7547 2b03e10 7544->7547 7550 2b03e4f 7544->7550 7553 2b0384f 7544->7553 7573 2b0a7a3 inet_ntoa 7544->7573 7580 2b0abee 7544->7580 7592 2b01feb GetTickCount 7544->7592 7613 2b03cfb 7544->7613 7616 2b0b3c5 7544->7616 7647 2b0ab81 7544->7647 7545->7544 7546->7544 7548 2b030fa 4 API calls 7547->7548 7549 2b03e1d 7548->7549 7549->7544 7551 2b030fa 4 API calls 7550->7551 7552 2b03e5c 7551->7552 7552->7544 7554 2b030fa 4 API calls 7553->7554 7556 2b03863 7554->7556 7555 2b038b2 7555->7544 7556->7555 7557 2b038b9 7556->7557 7558 2b03889 7556->7558 7668 2b035f9 7557->7668 7662 2b03718 7558->7662 7563 2b03718 6 API calls 7563->7555 7564 2b035f9 6 API calls 7564->7555 7566 2b05cf4 7565->7566 7567 2b05cec 7565->7567 7569 2b04bd1 4 API calls 7566->7569 7674 2b04bd1 GetTickCount 7567->7674 7570 2b05d02 7569->7570 7679 2b05472 7570->7679 7574 2b0a7b9 7573->7574 7574->7544 7576 2b0f315 14 API calls 7575->7576 7577 2b0aceb 7576->7577 7578 2b0acff 7577->7578 7579 2b0f315 14 API calls 7577->7579 7578->7544 7579->7578 7581 2b0abfb 7580->7581 7584 2b0ac65 7581->7584 7742 2b02f22 7581->7742 7583 2b0f315 14 API calls 7583->7584 7584->7583 7585 2b0ac6f 7584->7585 7591 2b0ac8a 7584->7591 7586 2b0ab81 2 API calls 7585->7586 7588 2b0ac81 7586->7588 7587 2b02684 2 API calls 7590 2b0ac23 7587->7590 7750 2b038f0 7588->7750 7590->7584 7590->7587 7591->7544 7592->7544 7594 2b0a87d lstrlenA send 7593->7594 7595 2b0a7df 7593->7595 7596 2b0a899 7594->7596 7597 2b0a8bf 7594->7597 7595->7594 7602 2b0a7fa wsprintfA 7595->7602 7603 2b0a80a 7595->7603 7605 2b0a8f2 7595->7605 7598 2b0a8a5 wsprintfA 7596->7598 7606 2b0a89e 7596->7606 7599 2b0a8c4 send 7597->7599 7597->7605 7598->7606 7601 2b0a8d8 wsprintfA 7599->7601 7599->7605 7600 2b0a978 recv 7600->7605 7607 2b0a982 7600->7607 7601->7606 7602->7603 7603->7594 7604 2b0a9b0 wsprintfA 7604->7606 7605->7600 7605->7604 7605->7607 7606->7544 7607->7606 7608 2b030b5 2 API calls 7607->7608 7609 2b0ab05 7608->7609 7610 2b0e819 11 API calls 7609->7610 7611 2b0ab17 7610->7611 7612 2b0a7a3 inet_ntoa 7611->7612 7612->7606 7614 2b030fa 4 API calls 7613->7614 7615 2b03d0b 7614->7615 7615->7544 7617 2b05ce1 22 API calls 7616->7617 7618 2b0b3e6 7617->7618 7619 2b05ce1 22 API calls 7618->7619 7621 2b0b404 7619->7621 7620 2b0b440 7623 2b0ef7c 3 API calls 7620->7623 7621->7620 7622 2b0ef7c 3 API calls 7621->7622 7624 2b0b42b 7622->7624 7625 2b0b458 wsprintfA 7623->7625 7626 2b0ef7c 3 API calls 7624->7626 7627 2b0ef7c 3 API calls 7625->7627 7626->7620 7628 2b0b480 7627->7628 7629 2b0ef7c 3 API calls 7628->7629 7630 2b0b493 7629->7630 7631 2b0ef7c 3 API calls 7630->7631 7632 2b0b4bb 7631->7632 7766 2b0ad89 GetLocalTime SystemTimeToFileTime 7632->7766 7636 2b0b4cc 7637 2b0ef7c 3 API calls 7636->7637 7638 2b0b4dd 7637->7638 7639 2b0b211 7 API calls 7638->7639 7640 2b0b4ec 7639->7640 7641 2b0ef7c 3 API calls 7640->7641 7642 2b0b4fd 7641->7642 7643 2b0b211 7 API calls 7642->7643 7644 2b0b509 7643->7644 7645 2b0ef7c 3 API calls 7644->7645 7646 2b0b51a 7645->7646 7646->7544 7649 2b0abe9 GetTickCount 7647->7649 7650 2b0ab8c 7647->7650 7648 2b0aba8 lstrcpynA 7648->7650 7652 2b0a51d 7649->7652 7650->7648 7650->7649 7651 2b0abe1 InterlockedIncrement 7650->7651 7651->7650 7653 2b0a4c7 4 API calls 7652->7653 7654 2b0a52c 7653->7654 7655 2b0a542 GetTickCount 7654->7655 7657 2b0a539 GetTickCount 7654->7657 7655->7657 7658 2b0a56c 7657->7658 7658->7544 7660 2b0a4c7 4 API calls 7659->7660 7661 2b0a633 7660->7661 7661->7544 7663 2b0f04e 4 API calls 7662->7663 7665 2b0372a 7663->7665 7664 2b03847 7664->7555 7664->7563 7665->7664 7666 2b037b3 GetCurrentThreadId 7665->7666 7666->7665 7667 2b037c8 GetCurrentThreadId 7666->7667 7667->7665 7669 2b0f04e 4 API calls 7668->7669 7673 2b0360c 7669->7673 7670 2b036f1 7670->7555 7670->7564 7671 2b036da GetCurrentThreadId 7671->7670 7672 2b036e5 GetCurrentThreadId 7671->7672 7672->7670 7673->7670 7673->7671 7675 2b04bff InterlockedExchange 7674->7675 7676 2b04c08 7675->7676 7677 2b04bec GetTickCount 7675->7677 7676->7566 7677->7676 7678 2b04bf7 Sleep 7677->7678 7678->7675 7698 2b04763 7679->7698 7681 2b05b58 7708 2b04699 7681->7708 7684 2b04763 lstrlenA 7685 2b05b6e 7684->7685 7729 2b04f9f 7685->7729 7687 2b05b79 7687->7544 7689 2b05549 lstrlenA 7692 2b0548a 7689->7692 7691 2b0558d lstrcpynA 7691->7692 7692->7681 7692->7691 7693 2b05a9f lstrcpyA 7692->7693 7694 2b04ae6 8 API calls 7692->7694 7695 2b05935 lstrcpynA 7692->7695 7696 2b05472 13 API calls 7692->7696 7697 2b058e7 lstrcpyA 7692->7697 7702 2b04ae6 7692->7702 7706 2b0ef7c lstrlenA lstrlenA lstrlenA 7692->7706 7693->7692 7694->7692 7695->7692 7696->7692 7697->7692 7700 2b0477a 7698->7700 7699 2b04859 7699->7692 7700->7699 7701 2b0480d lstrlenA 7700->7701 7701->7700 7703 2b04af3 7702->7703 7705 2b04b03 7702->7705 7704 2b0ebed 8 API calls 7703->7704 7704->7705 7705->7689 7707 2b0efb4 7706->7707 7707->7692 7734 2b045b3 7708->7734 7711 2b045b3 7 API calls 7712 2b046c6 7711->7712 7713 2b045b3 7 API calls 7712->7713 7714 2b046d8 7713->7714 7715 2b045b3 7 API calls 7714->7715 7716 2b046ea 7715->7716 7717 2b045b3 7 API calls 7716->7717 7718 2b046ff 7717->7718 7719 2b045b3 7 API calls 7718->7719 7720 2b04711 7719->7720 7721 2b045b3 7 API calls 7720->7721 7722 2b04723 7721->7722 7723 2b0ef7c 3 API calls 7722->7723 7724 2b04735 7723->7724 7725 2b0ef7c 3 API calls 7724->7725 7726 2b0474a 7725->7726 7727 2b0ef7c 3 API calls 7726->7727 7728 2b0475c 7727->7728 7728->7684 7730 2b04fac 7729->7730 7733 2b04fb0 7729->7733 7730->7687 7731 2b04ffd 7731->7687 7732 2b04fd5 IsBadCodePtr 7732->7733 7733->7731 7733->7732 7735 2b045c1 7734->7735 7736 2b045c8 7734->7736 7737 2b0ebcc 4 API calls 7735->7737 7738 2b045e1 7736->7738 7739 2b0ebcc 4 API calls 7736->7739 7737->7736 7740 2b04691 7738->7740 7741 2b0ef7c 3 API calls 7738->7741 7739->7738 7740->7711 7741->7738 7757 2b02d21 GetModuleHandleA 7742->7757 7745 2b02fcf GetProcessHeap HeapFree 7749 2b02f44 7745->7749 7746 2b02f4f 7747 2b02f6b GetProcessHeap HeapFree 7746->7747 7747->7749 7748 2b02f85 7748->7745 7749->7590 7751 2b03900 7750->7751 7752 2b03980 7750->7752 7753 2b030fa 4 API calls 7751->7753 7752->7591 7756 2b0390a 7753->7756 7754 2b0391b GetCurrentThreadId 7754->7756 7755 2b03939 GetCurrentThreadId 7755->7756 7756->7752 7756->7754 7756->7755 7758 2b02d46 LoadLibraryA 7757->7758 7759 2b02d5b GetProcAddress 7757->7759 7758->7759 7763 2b02d54 7758->7763 7760 2b02d6b DnsQuery_A 7759->7760 7759->7763 7761 2b02d7d 7760->7761 7760->7763 7762 2b02d97 GetProcessHeap HeapAlloc 7761->7762 7761->7763 7762->7763 7764 2b02dac 7762->7764 7763->7746 7763->7748 7763->7749 7764->7761 7765 2b02db5 lstrcpynA 7764->7765 7765->7764 7767 2b0adbf 7766->7767 7791 2b0ad08 gethostname 7767->7791 7770 2b030b5 2 API calls 7771 2b0add3 7770->7771 7772 2b0ade4 7771->7772 7773 2b0a7a3 inet_ntoa 7771->7773 7774 2b0ae85 wsprintfA 7772->7774 7776 2b0ae36 wsprintfA wsprintfA 7772->7776 7773->7772 7775 2b0ef7c 3 API calls 7774->7775 7777 2b0aebb 7775->7777 7778 2b0ef7c 3 API calls 7776->7778 7779 2b0ef7c 3 API calls 7777->7779 7778->7772 7780 2b0aed2 7779->7780 7781 2b0b211 7780->7781 7782 2b0b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7781->7782 7783 2b0b2af GetLocalTime 7781->7783 7784 2b0b2d2 7782->7784 7783->7784 7785 2b0b2d9 SystemTimeToFileTime 7784->7785 7786 2b0b31c GetTimeZoneInformation 7784->7786 7787 2b0b2ec 7785->7787 7788 2b0b33a wsprintfA 7786->7788 7789 2b0b312 FileTimeToSystemTime 7787->7789 7788->7636 7789->7786 7792 2b0ad71 7791->7792 7797 2b0ad26 lstrlenA 7791->7797 7794 2b0ad85 7792->7794 7795 2b0ad79 lstrcpyA 7792->7795 7794->7770 7795->7794 7796 2b0ad68 lstrlenA 7796->7792 7797->7792 7797->7796 7799 2b02d21 7 API calls 7798->7799 7800 2b02f01 7799->7800 7801 2b02f14 7800->7801 7802 2b02f06 7800->7802 7804 2b02684 2 API calls 7801->7804 7821 2b02df2 GetModuleHandleA 7802->7821 7806 2b02f1d 7804->7806 7806->7381 7807 2b02f1f 7807->7381 7809 2b0f428 14 API calls 7808->7809 7810 2b0198a 7809->7810 7811 2b01990 closesocket 7810->7811 7812 2b01998 7810->7812 7811->7812 7812->7380 7814 2b01c80 7813->7814 7815 2b01cc2 wsprintfA 7814->7815 7816 2b01d1c 7814->7816 7820 2b01d79 7814->7820 7817 2b02684 2 API calls 7815->7817 7816->7816 7818 2b01d47 wsprintfA 7816->7818 7817->7814 7819 2b02684 2 API calls 7818->7819 7819->7820 7820->7391 7822 2b02e10 LoadLibraryA 7821->7822 7823 2b02e0b 7821->7823 7824 2b02e17 7822->7824 7823->7822 7823->7824 7825 2b02ef1 7824->7825 7826 2b02e28 GetProcAddress 7824->7826 7825->7801 7825->7807 7826->7825 7827 2b02e3e GetProcessHeap HeapAlloc 7826->7827 7829 2b02e62 7827->7829 7828 2b02ede GetProcessHeap HeapFree 7828->7825 7829->7825 7829->7828 7830 2b02e7f htons inet_addr 7829->7830 7831 2b02ea5 gethostbyname 7829->7831 7833 2b02ceb 7829->7833 7830->7829 7830->7831 7831->7829 7834 2b02cf2 7833->7834 7836 2b02d1c 7834->7836 7837 2b02d0e Sleep 7834->7837 7838 2b02a62 GetProcessHeap HeapAlloc 7834->7838 7836->7829 7837->7834 7837->7836 7839 2b02a92 7838->7839 7840 2b02a99 socket 7838->7840 7839->7834 7841 2b02cd3 GetProcessHeap HeapFree 7840->7841 7842 2b02ab4 7840->7842 7841->7839 7842->7841 7856 2b02abd 7842->7856 7843 2b02adb htons 7858 2b026ff 7843->7858 7845 2b02b04 select 7845->7856 7846 2b02cb3 GetProcessHeap HeapFree closesocket 7846->7839 7847 2b02b3f recv 7847->7856 7848 2b02b66 htons 7849 2b02ca4 7848->7849 7848->7856 7849->7846 7850 2b02b87 htons 7850->7849 7850->7856 7852 2b02bf3 GetProcessHeap HeapAlloc 7852->7856 7854 2b02c17 htons 7873 2b02871 7854->7873 7856->7843 7856->7845 7856->7846 7856->7847 7856->7848 7856->7849 7856->7850 7856->7852 7856->7854 7857 2b02c4d GetProcessHeap HeapFree 7856->7857 7865 2b02923 7856->7865 7877 2b02904 7856->7877 7857->7856 7859 2b0271d 7858->7859 7860 2b02717 7858->7860 7862 2b0272b GetTickCount htons 7859->7862 7861 2b0ebcc 4 API calls 7860->7861 7861->7859 7863 2b0278a 7862->7863 7864 2b027cc htons htons sendto 7862->7864 7863->7864 7864->7856 7866 2b02944 7865->7866 7868 2b0293d 7865->7868 7881 2b02816 htons 7866->7881 7868->7856 7869 2b02871 htons 7872 2b02950 7869->7872 7870 2b029bd htons htons htons 7870->7868 7871 2b029f6 GetProcessHeap HeapAlloc 7870->7871 7871->7868 7871->7872 7872->7868 7872->7869 7872->7870 7874 2b02889 7873->7874 7875 2b028e3 7873->7875 7874->7875 7876 2b028c3 htons 7874->7876 7875->7856 7876->7874 7876->7875 7878 2b02921 7877->7878 7879 2b02908 7877->7879 7878->7856 7880 2b02909 GetProcessHeap HeapFree 7879->7880 7880->7878 7880->7880 7882 2b0286b 7881->7882 7883 2b02836 7881->7883 7882->7872 7883->7882 7884 2b0285c htons 7883->7884 7884->7882 7884->7883 7886 2b06bc0 7885->7886 7887 2b06bbc 7885->7887 7888 2b06bd4 7886->7888 7889 2b0ebcc 4 API calls 7886->7889 7887->7413 7888->7413 7890 2b06be4 7889->7890 7890->7888 7891 2b06c07 CreateFileA 7890->7891 7892 2b06bfc 7890->7892 7893 2b06c34 WriteFile 7891->7893 7894 2b06c2a 7891->7894 7895 2b0ec2e codecvt 4 API calls 7892->7895 7897 2b06c49 CloseHandle DeleteFileA 7893->7897 7898 2b06c5a CloseHandle 7893->7898 7896 2b0ec2e codecvt 4 API calls 7894->7896 7895->7888 7896->7888 7897->7894 7899 2b0ec2e codecvt 4 API calls 7898->7899 7899->7888 8009 2b06511 wsprintfA IsBadReadPtr 8010 2b0656a htonl htonl wsprintfA wsprintfA 8009->8010 8011 2b0674e 8009->8011 8016 2b065f3 8010->8016 8012 2b0e318 23 API calls 8011->8012 8013 2b06753 ExitProcess 8012->8013 8014 2b0668a GetCurrentProcess StackWalk64 8015 2b066a0 wsprintfA 8014->8015 8014->8016 8017 2b066ba 8015->8017 8016->8014 8016->8015 8018 2b06652 wsprintfA 8016->8018 8019 2b06712 wsprintfA 8017->8019 8020 2b066da wsprintfA 8017->8020 8021 2b066ed wsprintfA 8017->8021 8018->8016 8022 2b0e8a1 30 API calls 8019->8022 8020->8021 8021->8017 8023 2b06739 8022->8023 8024 2b0e318 23 API calls 8023->8024 8025 2b06741 8024->8025 8119 2b08c51 8120 2b08c86 8119->8120 8121 2b08c5d 8119->8121 8122 2b08c8b lstrcmpA 8120->8122 8132 2b08c7b 8120->8132 8124 2b08c7d 8121->8124 8125 2b08c6e 8121->8125 8123 2b08c9e 8122->8123 8122->8132 8126 2b08cad 8123->8126 8129 2b0ec2e codecvt 4 API calls 8123->8129 8141 2b08bb3 8124->8141 8133 2b08be7 8125->8133 8131 2b0ebcc 4 API calls 8126->8131 8126->8132 8129->8126 8131->8132 8134 2b08bf2 8133->8134 8135 2b08c2a 8133->8135 8136 2b08bb3 6 API calls 8134->8136 8135->8132 8137 2b08bf8 8136->8137 8145 2b06410 8137->8145 8139 2b08c01 8139->8135 8160 2b06246 8139->8160 8142 2b08bbc 8141->8142 8144 2b08be4 8141->8144 8143 2b06246 6 API calls 8142->8143 8142->8144 8143->8144 8146 2b06421 8145->8146 8147 2b0641e 8145->8147 8148 2b0643a 8146->8148 8149 2b0643e VirtualAlloc 8146->8149 8147->8139 8148->8139 8150 2b06472 8149->8150 8151 2b0645b VirtualAlloc 8149->8151 8152 2b0ebcc 4 API calls 8150->8152 8151->8150 8158 2b064fb 8151->8158 8153 2b06479 8152->8153 8153->8158 8170 2b06069 8153->8170 8156 2b06246 6 API calls 8156->8158 8158->8139 8159 2b064da 8159->8156 8159->8158 8161 2b06252 8160->8161 8168 2b062b3 8160->8168 8162 2b0628f 8161->8162 8166 2b06281 FreeLibrary 8161->8166 8169 2b06297 8161->8169 8167 2b0ec2e codecvt 4 API calls 8162->8167 8163 2b062a0 VirtualFree 8164 2b062ad 8163->8164 8165 2b0ec2e codecvt 4 API calls 8164->8165 8165->8168 8166->8161 8167->8169 8168->8135 8169->8163 8169->8164 8171 2b06090 IsBadReadPtr 8170->8171 8172 2b06089 8170->8172 8171->8172 8176 2b060aa 8171->8176 8172->8159 8180 2b05f3f 8172->8180 8173 2b060c0 LoadLibraryA 8173->8172 8173->8176 8174 2b0ebcc 4 API calls 8174->8176 8175 2b0ebed 8 API calls 8175->8176 8176->8172 8176->8173 8176->8174 8176->8175 8177 2b06191 IsBadReadPtr 8176->8177 8178 2b06141 GetProcAddress 8176->8178 8179 2b06155 GetProcAddress 8176->8179 8177->8172 8177->8176 8178->8176 8179->8176 8181 2b05f61 8180->8181 8182 2b05fe6 8180->8182 8181->8182 8183 2b05fbf VirtualProtect 8181->8183 8182->8159 8183->8181 8183->8182 8026 2b04e92 GetTickCount 8027 2b04ec0 InterlockedExchange 8026->8027 8028 2b04ec9 8027->8028 8029 2b04ead GetTickCount 8027->8029 8029->8028 8030 2b04eb8 Sleep 8029->8030 8030->8027 8184 2b043d2 8185 2b043e0 8184->8185 8186 2b043ef 8185->8186 8187 2b01940 4 API calls 8185->8187 8187->8186 8031 2b05d93 IsBadWritePtr 8032 2b05da8 8031->8032 8034 2b05ddc 8031->8034 8033 2b05389 12 API calls 8032->8033 8032->8034 8033->8034 8188 2b04ed3 8193 2b04c9a 8188->8193 8194 2b04ca9 8193->8194 8196 2b04cd8 8193->8196 8195 2b0ec2e codecvt 4 API calls 8194->8195 8195->8196 8197 2b05453 8202 2b0543a 8197->8202 8205 2b05048 8202->8205 8206 2b04bd1 4 API calls 8205->8206 8207 2b05056 8206->8207 8208 2b0ec2e codecvt 4 API calls 8207->8208 8209 2b0508b 8207->8209 8208->8209 8035 2b08314 8036 2b0675c 21 API calls 8035->8036 8037 2b08324 8036->8037 8038 2b05099 8039 2b04bd1 4 API calls 8038->8039 8040 2b050a2 8039->8040 8210 2b0195b 8211 2b01971 8210->8211 8212 2b0196b 8210->8212 8213 2b0ec2e codecvt 4 API calls 8212->8213 8213->8211 8041 2b0f483 WSAStartup 8042 2b05b84 IsBadWritePtr 8043 2b05b99 8042->8043 8044 2b05b9d 8042->8044 8045 2b04bd1 4 API calls 8044->8045 8046 2b05bcc 8045->8046 8047 2b05472 18 API calls 8046->8047 8048 2b05be5 8047->8048 8049 2b0f304 8052 2b0f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8049->8052 8051 2b0f312 8052->8051 8053 2b05c05 IsBadWritePtr 8054 2b05c24 IsBadWritePtr 8053->8054 8061 2b05ca6 8053->8061 8055 2b05c32 8054->8055 8054->8061 8056 2b05c82 8055->8056 8058 2b04bd1 4 API calls 8055->8058 8057 2b04bd1 4 API calls 8056->8057 8059 2b05c90 8057->8059 8058->8056 8060 2b05472 18 API calls 8059->8060 8060->8061 8214 2b0e749 8215 2b0dd05 6 API calls 8214->8215 8216 2b0e751 8215->8216 8217 2b0e781 lstrcmpA 8216->8217 8218 2b0e799 8216->8218 8217->8216 8071 2b0448b 8072 2b04499 8071->8072 8074 2b044ab 8072->8074 8075 2b01940 8072->8075 8076 2b0ec2e codecvt 4 API calls 8075->8076 8077 2b01949 8076->8077 8077->8074 8078 2b05e0d 8079 2b050dc 17 API calls 8078->8079 8080 2b05e20 8079->8080 8081 2b04c0d 8082 2b04ae6 8 API calls 8081->8082 8083 2b04c17 8082->8083 8223 2b05e4d 8224 2b05048 8 API calls 8223->8224 8225 2b05e55 8224->8225 8226 2b05e64 8225->8226 8227 2b01940 4 API calls 8225->8227 8227->8226
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 02B0CA4E
                                                                                            • closesocket.WS2_32(?), ref: 02B0CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 02B0CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B0CCB4
                                                                                            • WriteFile.KERNEL32(02B0A4B3,?,-000000E8,?,00000000), ref: 02B0CCDC
                                                                                            • CloseHandle.KERNEL32(02B0A4B3), ref: 02B0CCED
                                                                                            • wsprintfA.USER32 ref: 02B0CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B0CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02B0CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 02B0CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 02B0CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02B0CDC4
                                                                                            • CloseHandle.KERNEL32(02B0A4B3), ref: 02B0CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B0CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B0CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B0D033
                                                                                            • lstrcatA.KERNEL32(?,04100108), ref: 02B0D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 02B0D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02B0D171
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000), ref: 02B0D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B0D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02B0D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B0D231
                                                                                            • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 02B0D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B0D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D2C7
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B0D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B0D372
                                                                                            • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 02B0D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B0D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D408
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B0D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B0D45B
                                                                                            • CreateProcessA.KERNEL32(?,02B10264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B0D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B0D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B0D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B0D513
                                                                                            • closesocket.WS2_32(?), ref: 02B0D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 02B0D577
                                                                                            • ExitProcess.KERNEL32 ref: 02B0D583
                                                                                            • wsprintfA.USER32 ref: 02B0D81F
                                                                                              • Part of subcall function 02B0C65C: send.WS2_32(00000000,?,00000000), ref: 02B0C74B
                                                                                            • closesocket.WS2_32(?), ref: 02B0DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-36586020
                                                                                            • Opcode ID: aac17a41ad031ba562929fa70c1f9035604520c26b934564517fc6bfa401046d
                                                                                            • Instruction ID: e17b2a2e367ad8e7b80e7f145489cc3e306df7fda6a5e43180174f98b6689f86
                                                                                            • Opcode Fuzzy Hash: aac17a41ad031ba562929fa70c1f9035604520c26b934564517fc6bfa401046d
                                                                                            • Instruction Fuzzy Hash: 10B2A571D40209AFEB12ABA4DCC5FAE7FA9EB08344F5409EAF905A71D0E7309995CF50
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02B09A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02B09A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(02B06511), ref: 02B09A8A
                                                                                              • Part of subcall function 02B0EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B0EC5E
                                                                                              • Part of subcall function 02B0EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B0EC72
                                                                                              • Part of subcall function 02B0EC54: GetTickCount.KERNEL32 ref: 02B0EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02B09AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02B09ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 02B09AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 02B09B99
                                                                                            • ExitProcess.KERNEL32 ref: 02B09C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02B09CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 02B09D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 02B09D8B
                                                                                            • lstrcatA.KERNEL32(?,02B1070C), ref: 02B09D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B09DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 02B09E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02B09E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B09EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B09ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02B09F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02B09F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02B09F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02B09FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B09FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B09FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 02B0A038
                                                                                            • lstrcatA.KERNEL32(00000022,02B10A34), ref: 02B0A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 02B0A072
                                                                                            • lstrcatA.KERNEL32(00000022,02B10A34), ref: 02B0A08D
                                                                                            • wsprintfA.USER32 ref: 02B0A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 02B0A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 02B0A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02B0A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B0A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02B0A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02B0A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 02B0A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 02B0A1E5
                                                                                              • Part of subcall function 02B099D2: lstrcpyA.KERNEL32(?,?,00000100,02B122F8,00000000,?,02B09E9D,?,00000022,?,?,?,?,?,?,?), ref: 02B099DF
                                                                                              • Part of subcall function 02B099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02B09E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02B09A3C
                                                                                              • Part of subcall function 02B099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02B09E9D,?,00000022,?,?,?), ref: 02B09A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 02B0A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02B0A3B7
                                                                                            • GetLastError.KERNEL32 ref: 02B0A3ED
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 02B0A400
                                                                                            • DeleteFileA.KERNELBASE(02B133D8), ref: 02B0A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,02B0405E,00000000,00000000,00000000), ref: 02B0A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 02B0A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,02B0877E,00000000,00000000,00000000), ref: 02B0A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 02B0A48A
                                                                                            • GetTickCount.KERNEL32 ref: 02B0A49F
                                                                                            • GetTickCount.KERNEL32 ref: 02B0A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 02B0A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$D$P$\$qeuwztgf
                                                                                            • API String ID: 2089075347-557685099
                                                                                            • Opcode ID: 07dc0d646e09009617337cb95964938ade04258c44f5717d0408d78c714f7947
                                                                                            • Instruction ID: 95456ab8e3a6ab30f582f6008e35e19ac7c45702c9859487476521533cbd4a65
                                                                                            • Opcode Fuzzy Hash: 07dc0d646e09009617337cb95964938ade04258c44f5717d0408d78c714f7947
                                                                                            • Instruction Fuzzy Hash: A15273B1D4025DAFDB22ABA08CC9EEE7FBDEB04704F4449E5F605A3181E7749A948F50

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 2b0199c-2b019cc inet_addr LoadLibraryA 906 2b019d5-2b019fe GetProcAddress * 3 905->906 907 2b019ce-2b019d0 905->907 909 2b01ab3-2b01ab6 FreeLibrary 906->909 910 2b01a04-2b01a06 906->910 908 2b01abf-2b01ac2 907->908 912 2b01abc 909->912 910->909 911 2b01a0c-2b01a0e 910->911 911->909 913 2b01a14-2b01a28 GetBestInterface GetProcessHeap 911->913 914 2b01abe 912->914 913->912 915 2b01a2e-2b01a40 HeapAlloc 913->915 914->908 915->912 916 2b01a42-2b01a50 GetAdaptersInfo 915->916 917 2b01a62-2b01a67 916->917 918 2b01a52-2b01a60 HeapReAlloc 916->918 919 2b01aa1-2b01aad FreeLibrary 917->919 920 2b01a69-2b01a73 GetAdaptersInfo 917->920 918->917 919->912 921 2b01aaf-2b01ab1 919->921 920->919 922 2b01a75 920->922 921->914 923 2b01a77-2b01a80 922->923 924 2b01a82-2b01a86 923->924 925 2b01a8a-2b01a91 923->925 924->923 928 2b01a88 924->928 926 2b01a93 925->926 927 2b01a96-2b01a9b HeapFree 925->927 926->927 927->919 928->927
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 02B019B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02B01E9E), ref: 02B019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02B019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02B019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02B019F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02B01E9E), ref: 02B01A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02B01E9E), ref: 02B01A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02B01E9E), ref: 02B01A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02B01E9E,?,?,?,?,00000001,02B01E9E), ref: 02B01A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,02B01E9E,?,?,?,?,00000001,02B01E9E), ref: 02B01A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02B01E9E,?,?,?,?,00000001,02B01E9E), ref: 02B01A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02B01E9E), ref: 02B01A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02B01E9E), ref: 02B01AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: 5a5ba79d159b0dd6332fba68370033fde115108305b1404c6034f207b61e80d4
                                                                                            • Instruction ID: 0ada2215dd3c4e51eab268b6f98116ad204131cf21464c33cc57d6d4d37384da
                                                                                            • Opcode Fuzzy Hash: 5a5ba79d159b0dd6332fba68370033fde115108305b1404c6034f207b61e80d4
                                                                                            • Instruction Fuzzy Hash: C6319031D10209AFDF16AFE9CCC88BEBFB5EB44751B5449A9F925A3150D7304A90CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 2b07a95-2b07ac2 RegOpenKeyExA 697 2b07ac4-2b07ac6 696->697 698 2b07acb-2b07ae7 GetUserNameA 696->698 699 2b07db4-2b07db6 697->699 700 2b07da7-2b07db3 RegCloseKey 698->700 701 2b07aed-2b07b1e LookupAccountNameA 698->701 700->699 701->700 702 2b07b24-2b07b43 RegGetKeySecurity 701->702 702->700 703 2b07b49-2b07b61 GetSecurityDescriptorOwner 702->703 704 2b07b63-2b07b72 EqualSid 703->704 705 2b07bb8-2b07bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2b07b74-2b07b88 LocalAlloc 704->706 707 2b07da6 705->707 708 2b07bdc-2b07be1 705->708 706->705 709 2b07b8a-2b07b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2b07be7-2b07bf2 708->710 711 2b07bb1-2b07bb2 LocalFree 709->711 712 2b07b96-2b07ba4 SetSecurityDescriptorOwner 709->712 710->707 713 2b07bf8-2b07c08 GetAce 710->713 711->705 712->711 714 2b07ba6-2b07bab RegSetKeySecurity 712->714 715 2b07cc6 713->715 716 2b07c0e-2b07c1b 713->716 714->711 717 2b07cc9-2b07cd3 715->717 718 2b07c1d-2b07c2f EqualSid 716->718 719 2b07c4f-2b07c52 716->719 717->713 722 2b07cd9-2b07cdc 717->722 723 2b07c31-2b07c34 718->723 724 2b07c36-2b07c38 718->724 720 2b07c54-2b07c5e 719->720 721 2b07c5f-2b07c71 EqualSid 719->721 720->721 726 2b07c73-2b07c84 721->726 727 2b07c86 721->727 722->707 728 2b07ce2-2b07ce8 722->728 723->718 723->724 724->719 725 2b07c3a-2b07c4d DeleteAce 724->725 725->717 729 2b07c8b-2b07c8e 726->729 727->729 730 2b07d5a-2b07d6e LocalAlloc 728->730 731 2b07cea-2b07cf0 728->731 733 2b07c90-2b07c96 729->733 734 2b07c9d-2b07c9f 729->734 730->707 735 2b07d70-2b07d7a InitializeSecurityDescriptor 730->735 731->730 732 2b07cf2-2b07d0d RegOpenKeyExA 731->732 732->730 736 2b07d0f-2b07d16 732->736 733->734 737 2b07ca1-2b07ca5 734->737 738 2b07ca7-2b07cc3 734->738 739 2b07d7c-2b07d8a SetSecurityDescriptorDacl 735->739 740 2b07d9f-2b07da0 LocalFree 735->740 741 2b07d19-2b07d1e 736->741 737->715 737->738 738->715 739->740 742 2b07d8c-2b07d9a RegSetKeySecurity 739->742 740->707 741->741 743 2b07d20-2b07d52 call 2b02544 RegSetValueExA 741->743 742->740 744 2b07d9c 742->744 743->730 747 2b07d54 743->747 744->740 747->730
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02B07ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02B07ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,02B1070C,?,?,?), ref: 02B07B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02B07B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02B07B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 02B07B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B07B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B07B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B07B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02B07BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B07BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,02B07FC9,?,00000000), ref: 02B07BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$D
                                                                                            • API String ID: 2976863881-2152778875
                                                                                            • Opcode ID: 53c5b3bf17449e7fde141e70fd3357cf756ece703facc934061f94afae57abb0
                                                                                            • Instruction ID: e19bacc573683294c329b0345dc5b335fa62b18304ad2694ea967d3e3fb709bf
                                                                                            • Opcode Fuzzy Hash: 53c5b3bf17449e7fde141e70fd3357cf756ece703facc934061f94afae57abb0
                                                                                            • Instruction Fuzzy Hash: 8AA15DB1D40219AFDB129FA0CC88EEEFFB9FB04344F0445A9E905E2180DB349A95DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 2b07809-2b07837 GetUserNameA 749 2b0783d-2b0786e LookupAccountNameA 748->749 750 2b07a8e-2b07a94 748->750 749->750 751 2b07874-2b078a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2b078a8-2b078c3 GetSecurityDescriptorOwner 751->752 753 2b078c5-2b078da EqualSid 752->753 754 2b0791d-2b0793b GetSecurityDescriptorDacl 752->754 753->754 755 2b078dc-2b078ed LocalAlloc 753->755 756 2b07941-2b07946 754->756 757 2b07a8d 754->757 755->754 758 2b078ef-2b078f9 InitializeSecurityDescriptor 755->758 756->757 759 2b0794c-2b07955 756->759 757->750 761 2b07916-2b07917 LocalFree 758->761 762 2b078fb-2b07909 SetSecurityDescriptorOwner 758->762 759->757 760 2b0795b-2b0796b GetAce 759->760 763 2b07971-2b0797e 760->763 764 2b07a2a 760->764 761->754 762->761 765 2b0790b-2b07910 SetFileSecurityA 762->765 766 2b07980-2b07992 EqualSid 763->766 767 2b079ae-2b079b1 763->767 768 2b07a2d-2b07a37 764->768 765->761 769 2b07994-2b07997 766->769 770 2b07999-2b0799b 766->770 772 2b079b3-2b079bd 767->772 773 2b079be-2b079d0 EqualSid 767->773 768->760 771 2b07a3d-2b07a41 768->771 769->766 769->770 770->767 774 2b0799d-2b079ac DeleteAce 770->774 771->757 775 2b07a43-2b07a54 LocalAlloc 771->775 772->773 776 2b079d2-2b079e3 773->776 777 2b079e5 773->777 774->768 775->757 778 2b07a56-2b07a60 InitializeSecurityDescriptor 775->778 779 2b079ea-2b079ed 776->779 777->779 780 2b07a62-2b07a71 SetSecurityDescriptorDacl 778->780 781 2b07a86-2b07a87 LocalFree 778->781 782 2b079f8-2b079fb 779->782 783 2b079ef-2b079f5 779->783 780->781 784 2b07a73-2b07a81 SetFileSecurityA 780->784 781->757 785 2b07a03-2b07a0e 782->785 786 2b079fd-2b07a01 782->786 783->782 784->781 789 2b07a83 784->789 787 2b07a10-2b07a17 785->787 788 2b07a19-2b07a24 785->788 786->764 786->785 790 2b07a27 787->790 788->790 789->781 790->764
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02B0782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B07866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02B07878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02B0789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,02B07F63,?), ref: 02B078B8
                                                                                            • EqualSid.ADVAPI32(?,02B07F63), ref: 02B078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B07901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02B07910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B07917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02B07933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 02B07963
                                                                                            • EqualSid.ADVAPI32(?,02B07F63), ref: 02B0798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 02B079A3
                                                                                            • EqualSid.ADVAPI32(?,02B07F63), ref: 02B079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B07A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B07A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02B07A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02B07A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B07A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: c3d91a0123648064764c78a0ca7402fddf423967e64b5bcb9ba4c76c918d2a30
                                                                                            • Instruction ID: 7fd9206cdf51e09dbf7c7434a9aff2b6708b520462bfe1f4070e7760fe0d8ab8
                                                                                            • Opcode Fuzzy Hash: c3d91a0123648064764c78a0ca7402fddf423967e64b5bcb9ba4c76c918d2a30
                                                                                            • Instruction Fuzzy Hash: 64813E71D0011EABDB12DFA5CD88FEEFBB8EF08344F1445A9EA15E6180DB349651DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 2b08328-2b0833e call 2b07dd6 794 2b08340-2b08343 791->794 795 2b08348-2b08356 call 2b06ec3 791->795 796 2b0877b-2b0877d 794->796 799 2b0846b-2b08474 795->799 800 2b0835c-2b08378 call 2b073ff 795->800 802 2b085c2-2b085ce 799->802 803 2b0847a-2b08480 799->803 811 2b08464-2b08466 800->811 812 2b0837e-2b08384 800->812 806 2b085d0-2b085da call 2b0675c 802->806 807 2b08615-2b08620 802->807 803->802 804 2b08486-2b084ba call 2b02544 RegOpenKeyExA 803->804 821 2b084c0-2b084db RegQueryValueExA 804->821 822 2b08543-2b08571 call 2b02544 RegOpenKeyExA 804->822 814 2b085df-2b085eb 806->814 809 2b08626-2b0864c GetTempPathA call 2b08274 call 2b0eca5 807->809 810 2b086a7-2b086b0 call 2b06ba7 807->810 849 2b08671-2b086a4 call 2b02544 call 2b0ef00 call 2b0ee2a 809->849 850 2b0864e-2b0866f call 2b0eca5 809->850 830 2b08762 810->830 831 2b086b6-2b086bd call 2b07e2f 810->831 819 2b08779-2b0877a 811->819 812->811 818 2b0838a-2b0838d 812->818 814->807 820 2b085ed-2b085ef 814->820 818->811 825 2b08393-2b08399 818->825 819->796 820->807 826 2b085f1-2b085fa 820->826 828 2b08521-2b0852d RegCloseKey 821->828 829 2b084dd-2b084e1 821->829 843 2b08573-2b0857b 822->843 844 2b085a5-2b085b7 call 2b0ee2a 822->844 833 2b0839c-2b083a1 825->833 826->807 834 2b085fc-2b0860f call 2b024c2 826->834 828->822 840 2b0852f-2b08541 call 2b0eed1 828->840 829->828 836 2b084e3-2b084e6 829->836 838 2b08768-2b0876b 830->838 862 2b086c3-2b0873b call 2b0ee2a * 2 lstrcpyA lstrlenA call 2b07fcf CreateProcessA 831->862 863 2b0875b-2b0875c DeleteFileA 831->863 833->833 841 2b083a3-2b083af 833->841 834->807 834->838 836->828 845 2b084e8-2b084f6 call 2b0ebcc 836->845 847 2b08776-2b08778 838->847 848 2b0876d-2b08775 call 2b0ec2e 838->848 840->822 840->844 852 2b083b1 841->852 853 2b083b3-2b083ba 841->853 859 2b0857e-2b08583 843->859 844->802 878 2b085b9-2b085c1 call 2b0ec2e 844->878 845->828 877 2b084f8-2b08513 RegQueryValueExA 845->877 847->819 848->847 849->810 850->849 852->853 856 2b08450-2b0845f call 2b0ee2a 853->856 857 2b083c0-2b083fb call 2b02544 RegOpenKeyExA 853->857 856->802 857->856 882 2b083fd-2b0841c RegQueryValueExA 857->882 859->859 868 2b08585-2b0859f RegSetValueExA RegCloseKey 859->868 899 2b0873d-2b0874d CloseHandle * 2 862->899 900 2b0874f-2b0875a call 2b07ee6 call 2b07ead 862->900 863->830 868->844 877->828 883 2b08515-2b0851e call 2b0ec2e 877->883 878->802 888 2b0842d-2b08441 RegSetValueExA 882->888 889 2b0841e-2b08421 882->889 883->828 895 2b08447-2b0844a RegCloseKey 888->895 889->888 894 2b08423-2b08426 889->894 894->888 898 2b08428-2b0842b 894->898 895->856 898->888 898->895 899->838 900->863
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02B10750,?,?,00000000,localcfg,00000000), ref: 02B083F3
                                                                                            • RegQueryValueExA.KERNELBASE(02B10750,?,00000000,?,02B08893,?,?,?,00000000,00000103,02B10750,?,?,00000000,localcfg,00000000), ref: 02B08414
                                                                                            • RegSetValueExA.KERNELBASE(02B10750,?,00000000,00000004,02B08893,00000004,?,?,00000000,00000103,02B10750,?,?,00000000,localcfg,00000000), ref: 02B08441
                                                                                            • RegCloseKey.ADVAPI32(02B10750,?,?,00000000,00000103,02B10750,?,?,00000000,localcfg,00000000), ref: 02B0844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe$localcfg
                                                                                            • API String ID: 237177642-1714200430
                                                                                            • Opcode ID: df7870acc337d8ea15809bc1a3da33be24b0f068e0d1eb7d30a53dc185a43611
                                                                                            • Instruction ID: 409fd9215b4de07b1b8de3f9a8f79686097c732f652d6115926aed9d19d8875d
                                                                                            • Opcode Fuzzy Hash: df7870acc337d8ea15809bc1a3da33be24b0f068e0d1eb7d30a53dc185a43611
                                                                                            • Instruction Fuzzy Hash: E9C180B1D4014CBEEB12ABA49CC5EEE7F7DEB05344F1448E5FA05A6081EB709B948F61

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02B01DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 02B01DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02B01E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B01E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02B01E1B
                                                                                            • GetTickCount.KERNEL32 ref: 02B01FC9
                                                                                              • Part of subcall function 02B01BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02B01C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: d74baafebed72fd052c646c168139c02b4366ea811bb19e2347ce3c9c1736884
                                                                                            • Instruction ID: efe8d28c4d891f94611e8f7fda8a14c8474734c0afa3ca3a005ce9dc99a2e67c
                                                                                            • Opcode Fuzzy Hash: d74baafebed72fd052c646c168139c02b4366ea811bb19e2347ce3c9c1736884
                                                                                            • Instruction Fuzzy Hash: 8451B3B0904344AFE321AF698CC9F2BBEECEB88748F444D9DF95A82191D774E544CB61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 2b073ff-2b07419 1000 2b0741b 999->1000 1001 2b0741d-2b07422 999->1001 1000->1001 1002 2b07424 1001->1002 1003 2b07426-2b0742b 1001->1003 1002->1003 1004 2b07430-2b07435 1003->1004 1005 2b0742d 1003->1005 1006 2b07437 1004->1006 1007 2b0743a-2b07481 call 2b06dc2 call 2b02544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2b07487-2b0749d call 2b0ee2a 1007->1012 1013 2b077f9-2b077fe call 2b0ee2a 1007->1013 1018 2b07703-2b0770e RegEnumKeyA 1012->1018 1019 2b07801 1013->1019 1020 2b074a2-2b074b1 call 2b06cad 1018->1020 1021 2b07714-2b0771d RegCloseKey 1018->1021 1022 2b07804-2b07808 1019->1022 1025 2b074b7-2b074cc call 2b0f1a5 1020->1025 1026 2b076ed-2b07700 1020->1026 1021->1019 1025->1026 1029 2b074d2-2b074f8 RegOpenKeyExA 1025->1029 1026->1018 1030 2b07727-2b0772a 1029->1030 1031 2b074fe-2b07530 call 2b02544 RegQueryValueExA 1029->1031 1032 2b07755-2b07764 call 2b0ee2a 1030->1032 1033 2b0772c-2b07740 call 2b0ef00 1030->1033 1031->1030 1040 2b07536-2b0753c 1031->1040 1041 2b076df-2b076e2 1032->1041 1042 2b07742-2b07745 RegCloseKey 1033->1042 1043 2b0774b-2b0774e 1033->1043 1044 2b0753f-2b07544 1040->1044 1041->1026 1045 2b076e4-2b076e7 RegCloseKey 1041->1045 1042->1043 1047 2b077ec-2b077f7 RegCloseKey 1043->1047 1044->1044 1046 2b07546-2b0754b 1044->1046 1045->1026 1046->1032 1048 2b07551-2b0756b call 2b0ee95 1046->1048 1047->1022 1048->1032 1051 2b07571-2b07593 call 2b02544 call 2b0ee95 1048->1051 1056 2b07753 1051->1056 1057 2b07599-2b075a0 1051->1057 1056->1032 1058 2b075a2-2b075c6 call 2b0ef00 call 2b0ed03 1057->1058 1059 2b075c8-2b075d7 call 2b0ed03 1057->1059 1065 2b075d8-2b075da 1058->1065 1059->1065 1066 2b075dc 1065->1066 1067 2b075df-2b07623 call 2b0ee95 call 2b02544 call 2b0ee95 call 2b0ee2a 1065->1067 1066->1067 1077 2b07626-2b0762b 1067->1077 1077->1077 1078 2b0762d-2b07634 1077->1078 1079 2b07637-2b0763c 1078->1079 1079->1079 1080 2b0763e-2b07642 1079->1080 1081 2b07644-2b07656 call 2b0ed77 1080->1081 1082 2b0765c-2b07673 call 2b0ed23 1080->1082 1081->1082 1087 2b07769-2b0777c call 2b0ef00 1081->1087 1088 2b07680 1082->1088 1089 2b07675-2b0767e 1082->1089 1094 2b077e3-2b077e6 RegCloseKey 1087->1094 1091 2b07683-2b0768e call 2b06cad 1088->1091 1089->1091 1096 2b07722-2b07725 1091->1096 1097 2b07694-2b076bf call 2b0f1a5 call 2b06c96 1091->1097 1094->1047 1098 2b076dd 1096->1098 1103 2b076c1-2b076c7 1097->1103 1104 2b076d8 1097->1104 1098->1041 1103->1104 1105 2b076c9-2b076d2 1103->1105 1104->1098 1105->1104 1106 2b0777e-2b07797 GetFileAttributesExA 1105->1106 1107 2b07799 1106->1107 1108 2b0779a-2b0779f 1106->1108 1107->1108 1109 2b077a1 1108->1109 1110 2b077a3-2b077a8 1108->1110 1109->1110 1111 2b077c4-2b077c8 1110->1111 1112 2b077aa-2b077c0 call 2b0ee08 1110->1112 1114 2b077d7-2b077dc 1111->1114 1115 2b077ca-2b077d6 call 2b0ef00 1111->1115 1112->1111 1116 2b077e0-2b077e2 1114->1116 1117 2b077de 1114->1117 1115->1114 1116->1094 1117->1116
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 02B07472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B07528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02B0764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02B07706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B07717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B07745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02B077EF
                                                                                              • Part of subcall function 02B0F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B122F8,000000C8,02B07150,?), ref: 02B0F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B0778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 02B077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: b42e0b514aff52459c08f1688622d72636d7c6673879d11f224724a8d00cef7d
                                                                                            • Instruction ID: 99d3972f82e7cc42df5c41e0fbe13463a0be44112a2e2ac30aa7a018e3792afa
                                                                                            • Opcode Fuzzy Hash: b42e0b514aff52459c08f1688622d72636d7c6673879d11f224724a8d00cef7d
                                                                                            • Instruction Fuzzy Hash: E7C17171900209ABEB229BA4DC88FEEFFB9EF45350F1404D5E505A61D0EF71EA94DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 2b0675c-2b06778 1122 2b06784-2b067a2 CreateFileA 1121->1122 1123 2b0677a-2b0677e SetFileAttributesA 1121->1123 1124 2b067a4-2b067b2 CreateFileA 1122->1124 1125 2b067b5-2b067b8 1122->1125 1123->1122 1124->1125 1126 2b067c5-2b067c9 1125->1126 1127 2b067ba-2b067bf SetFileAttributesA 1125->1127 1128 2b06977-2b06986 1126->1128 1129 2b067cf-2b067df GetFileSize 1126->1129 1127->1126 1130 2b067e5-2b067e7 1129->1130 1131 2b0696b 1129->1131 1130->1131 1132 2b067ed-2b0680b ReadFile 1130->1132 1133 2b0696e-2b06971 FindCloseChangeNotification 1131->1133 1132->1131 1134 2b06811-2b06824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 2b0682a-2b06842 ReadFile 1134->1135 1135->1131 1136 2b06848-2b06861 SetFilePointer 1135->1136 1136->1131 1137 2b06867-2b06876 1136->1137 1138 2b068d5-2b068df 1137->1138 1139 2b06878-2b0688f ReadFile 1137->1139 1138->1133 1140 2b068e5-2b068eb 1138->1140 1141 2b06891-2b0689e 1139->1141 1142 2b068d2 1139->1142 1143 2b068f0-2b068fe call 2b0ebcc 1140->1143 1144 2b068ed 1140->1144 1145 2b068a0-2b068b5 1141->1145 1146 2b068b7-2b068ba 1141->1146 1142->1138 1143->1131 1152 2b06900-2b0690b SetFilePointer 1143->1152 1144->1143 1148 2b068bd-2b068c3 1145->1148 1146->1148 1150 2b068c5 1148->1150 1151 2b068c8-2b068ce 1148->1151 1150->1151 1151->1139 1153 2b068d0 1151->1153 1154 2b0695a-2b06969 call 2b0ec2e 1152->1154 1155 2b0690d-2b06920 ReadFile 1152->1155 1153->1138 1154->1133 1155->1154 1156 2b06922-2b06958 1155->1156 1156->1133
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02B0677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02B0679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02B067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02B067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02B067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,02B08244,00000000,?,74DF0F10,00000000), ref: 02B06807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02B0681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02B0683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02B0685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,02B08244,00000000,?,74DF0F10,00000000), ref: 02B0688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 02B06906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,02B08244,00000000,?,74DF0F10,00000000), ref: 02B0691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 02B06971
                                                                                              • Part of subcall function 02B0EC2E: GetProcessHeap.KERNEL32(00000000,02B0EA27,00000000,02B0EA27,00000000), ref: 02B0EC41
                                                                                              • Part of subcall function 02B0EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B0EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: 54cda48b7192b5e6e370db205e56c2809a72516145ee2b45b692d02eeedf3485
                                                                                            • Instruction ID: b3aac9612ef93ac2bf8b3437be2c2028bc706ae133e523be4979e4a252c53b9b
                                                                                            • Opcode Fuzzy Hash: 54cda48b7192b5e6e370db205e56c2809a72516145ee2b45b692d02eeedf3485
                                                                                            • Instruction Fuzzy Hash: 3D71E971D0021DEFDB159FA4CC84AEEBBB9FB08354F1045AAF915A6190E7309EA1DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 2b0f315-2b0f332 1160 2b0f334-2b0f336 1159->1160 1161 2b0f33b-2b0f372 call 2b0ee2a htons socket 1159->1161 1162 2b0f424-2b0f427 1160->1162 1165 2b0f382-2b0f39b ioctlsocket 1161->1165 1166 2b0f374-2b0f37d closesocket 1161->1166 1167 2b0f3aa-2b0f3f0 connect select 1165->1167 1168 2b0f39d 1165->1168 1166->1162 1170 2b0f421 1167->1170 1171 2b0f3f2-2b0f401 __WSAFDIsSet 1167->1171 1169 2b0f39f-2b0f3a8 closesocket 1168->1169 1172 2b0f423 1169->1172 1170->1172 1171->1169 1173 2b0f403-2b0f416 ioctlsocket call 2b0f26d 1171->1173 1172->1162 1175 2b0f41b-2b0f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(02B0CA1D), ref: 02B0F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 02B0F367
                                                                                            • closesocket.WS2_32(00000000), ref: 02B0F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 85c9498524da1e006d0a6ea08b332a51f41e016b3eef1a482f75d209a9e9125a
                                                                                            • Instruction ID: 29c38b8dbfe4d7db1ea67b1afa79f3a5995259d38e3dd7e354e36d606a86a58a
                                                                                            • Opcode Fuzzy Hash: 85c9498524da1e006d0a6ea08b332a51f41e016b3eef1a482f75d209a9e9125a
                                                                                            • Instruction Fuzzy Hash: E5317E72A40118ABDB21DFA5DC849FE7BBCFF88350F5045A6F915D3180EB749A818BE0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 2b0405e-2b0407b CreateEventA 1177 2b04084-2b040a8 call 2b03ecd call 2b04000 1176->1177 1178 2b0407d-2b04081 1176->1178 1183 2b04130-2b0413e call 2b0ee2a 1177->1183 1184 2b040ae-2b040be call 2b0ee2a 1177->1184 1189 2b0413f-2b04165 call 2b03ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2b040c0-2b040f1 call 2b0eca5 call 2b03f18 call 2b03f8c 1184->1190 1195 2b04167-2b04174 Sleep 1189->1195 1196 2b04188-2b04193 ConnectNamedPipe 1189->1196 1207 2b040f3-2b040ff 1190->1207 1208 2b04127-2b0412a CloseHandle 1190->1208 1195->1189 1200 2b04176-2b04182 CloseHandle 1195->1200 1198 2b04195-2b041a5 GetLastError 1196->1198 1199 2b041ab-2b041c0 call 2b03f8c 1196->1199 1198->1199 1203 2b0425e-2b04265 DisconnectNamedPipe 1198->1203 1199->1196 1209 2b041c2-2b041f2 call 2b03f18 call 2b03f8c 1199->1209 1200->1196 1203->1196 1207->1208 1210 2b04101-2b04121 call 2b03f18 ExitProcess 1207->1210 1208->1183 1209->1203 1217 2b041f4-2b04200 1209->1217 1217->1203 1218 2b04202-2b04215 call 2b03f8c 1217->1218 1218->1203 1221 2b04217-2b0421b 1218->1221 1221->1203 1222 2b0421d-2b04230 call 2b03f8c 1221->1222 1222->1203 1225 2b04232-2b04236 1222->1225 1225->1196 1226 2b0423c-2b04251 call 2b03f18 1225->1226 1229 2b04253-2b04259 1226->1229 1230 2b0426a-2b04276 CloseHandle * 2 call 2b0e318 1226->1230 1229->1196 1232 2b0427b 1230->1232 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02B04070
                                                                                            • ExitProcess.KERNEL32 ref: 02B04121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 66299d956b02df8e1109b4ca682c2d512a57f9e156ed9b3b7cda256d27e46922
                                                                                            • Instruction ID: 1e6bdcecec6d69b8b526d8e25ce5dfbadc79050c209215a621e2ce3a267bba74
                                                                                            • Opcode Fuzzy Hash: 66299d956b02df8e1109b4ca682c2d512a57f9e156ed9b3b7cda256d27e46922
                                                                                            • Instruction Fuzzy Hash: BE516171D40219BADB12ABA08DC9FBF7EBDEB15754F4004A5FB14B60C0E7318A51CB61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 2b02d21-2b02d44 GetModuleHandleA 1234 2b02d46-2b02d52 LoadLibraryA 1233->1234 1235 2b02d5b-2b02d69 GetProcAddress 1233->1235 1234->1235 1236 2b02d54-2b02d56 1234->1236 1235->1236 1237 2b02d6b-2b02d7b DnsQuery_A 1235->1237 1238 2b02dee-2b02df1 1236->1238 1237->1236 1239 2b02d7d-2b02d88 1237->1239 1240 2b02d8a-2b02d8b 1239->1240 1241 2b02deb 1239->1241 1242 2b02d90-2b02d95 1240->1242 1241->1238 1243 2b02de2-2b02de8 1242->1243 1244 2b02d97-2b02daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2b02dea 1243->1245 1244->1245 1246 2b02dac-2b02dd9 call 2b0ee2a lstrcpynA 1244->1246 1245->1241 1249 2b02de0 1246->1249 1250 2b02ddb-2b02dde 1246->1250 1249->1243 1250->1243
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02B02F01,?,02B020FF,02B12000), ref: 02B02D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02B02D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02B02D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02B02D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02B02D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 02B02DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02B02DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: f59dae9bd4900ca8e4a0df9dbdd0d259baf38fb01c8edb4efc75061bb776667f
                                                                                            • Instruction ID: 8ac04ec0a8f6f81e984ad092d77b160f67d6bb3f19f0e36179b133f33fbe9cdf
                                                                                            • Opcode Fuzzy Hash: f59dae9bd4900ca8e4a0df9dbdd0d259baf38fb01c8edb4efc75061bb776667f
                                                                                            • Instruction Fuzzy Hash: D0216271D40229ABCB12AF54DC88AAEBFB9EF08B54F504992FD05E7140D7709ED987D0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 2b080c9-2b080ed call 2b06ec3 1254 2b080f9-2b08115 call 2b0704c 1251->1254 1255 2b080ef call 2b07ee6 1251->1255 1260 2b08225-2b0822b 1254->1260 1261 2b0811b-2b08121 1254->1261 1259 2b080f4 1255->1259 1259->1260 1263 2b0826c-2b08273 1260->1263 1264 2b0822d-2b08233 1260->1264 1261->1260 1262 2b08127-2b0812a 1261->1262 1262->1260 1266 2b08130-2b08167 call 2b02544 RegOpenKeyExA 1262->1266 1264->1263 1265 2b08235-2b0823f call 2b0675c 1264->1265 1269 2b08244-2b0824b 1265->1269 1272 2b08216-2b08222 call 2b0ee2a 1266->1272 1273 2b0816d-2b0818b RegQueryValueExA 1266->1273 1269->1263 1271 2b0824d-2b08269 call 2b024c2 call 2b0ec2e 1269->1271 1271->1263 1272->1260 1275 2b081f7-2b081fe 1273->1275 1276 2b0818d-2b08191 1273->1276 1279 2b08200-2b08206 call 2b0ec2e 1275->1279 1280 2b0820d-2b08210 RegCloseKey 1275->1280 1276->1275 1281 2b08193-2b08196 1276->1281 1289 2b0820c 1279->1289 1280->1272 1281->1275 1285 2b08198-2b081a8 call 2b0ebcc 1281->1285 1285->1280 1291 2b081aa-2b081c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 2b081c4-2b081ca 1291->1292 1293 2b081cd-2b081d2 1292->1293 1293->1293 1294 2b081d4-2b081e5 call 2b0ebcc 1293->1294 1294->1280 1297 2b081e7-2b081f5 call 2b0ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02B0815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B0A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02B08187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02B0A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02B081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02B08210
                                                                                              • Part of subcall function 02B0675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02B0677E
                                                                                              • Part of subcall function 02B0675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02B0679A
                                                                                              • Part of subcall function 02B0675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02B067B0
                                                                                              • Part of subcall function 02B0675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02B067BF
                                                                                              • Part of subcall function 02B0675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02B067D3
                                                                                              • Part of subcall function 02B0675C: ReadFile.KERNELBASE(000000FF,?,00000040,02B08244,00000000,?,74DF0F10,00000000), ref: 02B06807
                                                                                              • Part of subcall function 02B0675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02B0681F
                                                                                              • Part of subcall function 02B0675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02B0683E
                                                                                              • Part of subcall function 02B0675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02B0685C
                                                                                              • Part of subcall function 02B0EC2E: GetProcessHeap.KERNEL32(00000000,02B0EA27,00000000,02B0EA27,00000000), ref: 02B0EC41
                                                                                              • Part of subcall function 02B0EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B0EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe
                                                                                            • API String ID: 124786226-2080065891
                                                                                            • Opcode ID: dbae80a34be0f7280ee89f6eac26863e5a9ed23aadbd17d301b50d9dc3cf3ab8
                                                                                            • Instruction ID: 7a0603e53abe823d84c4f15b2c50ad3715ec97fc9bacc492d1e100054d577ff8
                                                                                            • Opcode Fuzzy Hash: dbae80a34be0f7280ee89f6eac26863e5a9ed23aadbd17d301b50d9dc3cf3ab8
                                                                                            • Instruction Fuzzy Hash: C14190B2D45119BFEB12EBA09CC4EBE7F6DDB08344F4408EAE945A7080E7709F948B50

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 2b01ac3-2b01adc LoadLibraryA 1301 2b01ae2-2b01af3 GetProcAddress 1300->1301 1302 2b01b6b-2b01b70 1300->1302 1303 2b01af5-2b01b01 1301->1303 1304 2b01b6a 1301->1304 1305 2b01b1c-2b01b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2b01b03-2b01b12 call 2b0ebed 1305->1306 1307 2b01b29-2b01b2b 1305->1307 1306->1307 1318 2b01b14-2b01b1b 1306->1318 1309 2b01b5b-2b01b5e 1307->1309 1310 2b01b2d-2b01b32 1307->1310 1312 2b01b69 1309->1312 1313 2b01b60-2b01b68 call 2b0ec2e 1309->1313 1311 2b01b34-2b01b3b 1310->1311 1310->1312 1315 2b01b54-2b01b59 1311->1315 1316 2b01b3d-2b01b52 1311->1316 1312->1304 1313->1312 1315->1309 1315->1311 1316->1315 1316->1316 1318->1305
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B01AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B01AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B01B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 1f5ff74c9af3d2ab76dfceff76d5c0e5de5a423457d2f2a4799f39b4879f347f
                                                                                            • Instruction ID: 10b3105d1670ac8f8f2902d9f312aa415ccba052c5368adcf8ca60078ecdb208
                                                                                            • Opcode Fuzzy Hash: 1f5ff74c9af3d2ab76dfceff76d5c0e5de5a423457d2f2a4799f39b4879f347f
                                                                                            • Instruction Fuzzy Hash: 0C11D671E11128AFDB1B9BACCCC48ADBFBAEB44B14B5444D5F009E7190E7308A80CB90

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 2b0e3ca-2b0e3ee RegOpenKeyExA 1321 2b0e3f4-2b0e3fb 1320->1321 1322 2b0e528-2b0e52d 1320->1322 1323 2b0e3fe-2b0e403 1321->1323 1323->1323 1324 2b0e405-2b0e40f 1323->1324 1325 2b0e411-2b0e413 1324->1325 1326 2b0e414-2b0e452 call 2b0ee08 call 2b0f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2b0e458-2b0e486 call 2b0f1ed RegQueryValueExA 1326->1331 1332 2b0e51d-2b0e527 RegCloseKey 1326->1332 1335 2b0e488-2b0e48a 1331->1335 1332->1322 1335->1332 1336 2b0e490-2b0e4a1 call 2b0db2e 1335->1336 1336->1332 1339 2b0e4a3-2b0e4a6 1336->1339 1340 2b0e4a9-2b0e4d3 call 2b0f1ed RegQueryValueExA 1339->1340 1343 2b0e4d5-2b0e4da 1340->1343 1344 2b0e4e8-2b0e4ea 1340->1344 1343->1344 1346 2b0e4dc-2b0e4e6 1343->1346 1344->1332 1345 2b0e4ec-2b0e516 call 2b02544 call 2b0e332 1344->1345 1345->1332 1346->1340 1346->1344
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,02B0E5F2,00000000,00020119,02B0E5F2,02B122F8), ref: 02B0E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(02B0E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02B0E44E
                                                                                            • RegQueryValueExA.ADVAPI32(02B0E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02B0E482
                                                                                            • RegQueryValueExA.ADVAPI32(02B0E5F2,?,00000000,?,80000001,?), ref: 02B0E4CF
                                                                                            • RegCloseKey.ADVAPI32(02B0E5F2,?,?,?,?,000000C8,000000E4), ref: 02B0E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: 65aebf6d27ae5f02dc9f9115a49d6e9ef267914a727f7de95a6e225b027b3705
                                                                                            • Instruction ID: a24f95d47d8fa70dc4a8d707197d8283141addd94f23bde5b6b44371953b002d
                                                                                            • Opcode Fuzzy Hash: 65aebf6d27ae5f02dc9f9115a49d6e9ef267914a727f7de95a6e225b027b3705
                                                                                            • Instruction Fuzzy Hash: 1541F8B2D0021DAFDF129FD4DC84DEEBBBAEB08344F5448A6E911A3190E7319A558B60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 2b0f26d-2b0f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02B0F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02B0F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02B0F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02B0F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02B0F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 91e0b61f9382bfe950e8b434cc56f19a0ce14695e6762f132191b71161d70093
                                                                                            • Instruction ID: 58b2bd49413f61b988394eaee5840c3e70667928c953b26f12daa0291e526d6d
                                                                                            • Opcode Fuzzy Hash: 91e0b61f9382bfe950e8b434cc56f19a0ce14695e6762f132191b71161d70093
                                                                                            • Instruction Fuzzy Hash: 0011FBB1A40248BAEB11DE94CD41F9E7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 2b01bdf-2b01c04 call 2b01ac3 1354 2b01c09-2b01c0b 1352->1354 1355 2b01c5a-2b01c5e 1354->1355 1356 2b01c0d-2b01c1d GetComputerNameA 1354->1356 1357 2b01c45-2b01c57 GetVolumeInformationA 1356->1357 1358 2b01c1f-2b01c24 1356->1358 1357->1355 1358->1357 1359 2b01c26-2b01c3b 1358->1359 1359->1359 1360 2b01c3d-2b01c3f 1359->1360 1360->1357 1361 2b01c41-2b01c43 1360->1361 1361->1355
                                                                                            APIs
                                                                                              • Part of subcall function 02B01AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B01AD4
                                                                                              • Part of subcall function 02B01AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B01AE9
                                                                                              • Part of subcall function 02B01AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B01B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B01C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02B01C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: dc4c527291702888440b5d33c984a8c8b6b28065273a94a18dd20d89aa073351
                                                                                            • Instruction ID: e9a88f52c03a6fb24fa77de2ac32410d659f9ae972c2c9735b5eb9b590accefe
                                                                                            • Opcode Fuzzy Hash: dc4c527291702888440b5d33c984a8c8b6b28065273a94a18dd20d89aa073351
                                                                                            • Instruction Fuzzy Hash: BA01847291411CBBEB25DAECC8C49EFBABCE744785F1008B6D606E7140D230DE449660
                                                                                            APIs
                                                                                              • Part of subcall function 02B01AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B01AD4
                                                                                              • Part of subcall function 02B01AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B01AE9
                                                                                              • Part of subcall function 02B01AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B01B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B01BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02B01EFD,00000000,00000000,00000000,00000000), ref: 02B01BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: 3c654e67c2948fe1cb097b11b69d898c22a46a5a5f2dd558195ae62ea6000ec0
                                                                                            • Instruction ID: 2be4efc9bbe94c8d3edb9f06c480988d7624e10e51fc24d377c589772602815a
                                                                                            • Opcode Fuzzy Hash: 3c654e67c2948fe1cb097b11b69d898c22a46a5a5f2dd558195ae62ea6000ec0
                                                                                            • Instruction Fuzzy Hash: BC014FB6D0410CBFEB019BE9C8859EFFABDEB48754F1505A2AA15E7180D6705E044AA1
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000002), ref: 02B02693
                                                                                            • gethostbyname.WS2_32(00000002), ref: 02B0269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: 3afed47cc1c9d48c709bc9d2a65fe96124809f16ca25509b6f033be4fdaff39c
                                                                                            • Instruction ID: 4d9b01ef6dc4963457a5e1899a8cdf2a8249b01992bd0552d190eda344d7a4f2
                                                                                            • Opcode Fuzzy Hash: 3afed47cc1c9d48c709bc9d2a65fe96124809f16ca25509b6f033be4fdaff39c
                                                                                            • Instruction Fuzzy Hash: 94E08C306040119FCB129A68F488A963BA4EF06270F014980FC80C3190CB309CC08680
                                                                                            APIs
                                                                                              • Part of subcall function 02B0DD05: GetTickCount.KERNEL32 ref: 02B0DD0F
                                                                                              • Part of subcall function 02B0DD05: InterlockedExchange.KERNEL32(02B136B4,00000001), ref: 02B0DD44
                                                                                              • Part of subcall function 02B0DD05: GetCurrentThreadId.KERNEL32 ref: 02B0DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,02B0A445), ref: 02B0E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,02B0A445), ref: 02B0E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,02B0A445), ref: 02B0E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: 84ac1c6fb051c6ff4062a4b39609f4496c82a11386d04b3bffa7f817d4c6f8ef
                                                                                            • Instruction ID: ee556160753687027c36b0f2f34cf5ae213a4ef46f0af61fb04488a074dd2827
                                                                                            • Opcode Fuzzy Hash: 84ac1c6fb051c6ff4062a4b39609f4496c82a11386d04b3bffa7f817d4c6f8ef
                                                                                            • Instruction Fuzzy Hash: C62107B29802043AF6227A655C9AF6F3E4DDB55794F400DD4BE0AB11D3FA51D4108AB1
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 02B088A5
                                                                                              • Part of subcall function 02B0F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B0E342,00000000,75A8EA50,80000001,00000000,02B0E513,?,00000000,00000000,?,000000E4), ref: 02B0F089
                                                                                              • Part of subcall function 02B0F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B0E342,00000000,75A8EA50,80000001,00000000,02B0E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B0F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 4005296fb06b74cca95577523eb3ef3249dfb5802068613729f43480e027bda4
                                                                                            • Instruction ID: 7805e992e7366a68faaae8463812cf1280e46ebb16ad5f0bde42a49c0f456d30
                                                                                            • Opcode Fuzzy Hash: 4005296fb06b74cca95577523eb3ef3249dfb5802068613729f43480e027bda4
                                                                                            • Instruction Fuzzy Hash: AE21F071988300AAF326BB64ACC5F7A3F99EB44750FD408D9FD04860C0FF91A69089A5
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02B122F8,02B042B6,00000000,00000001,02B122F8,00000000,?,02B098FD), ref: 02B04021
                                                                                            • GetLastError.KERNEL32(?,02B098FD,00000001,00000100,02B122F8,02B0A3C7), ref: 02B0402C
                                                                                            • Sleep.KERNEL32(000001F4,?,02B098FD,00000001,00000100,02B122F8,02B0A3C7), ref: 02B04046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 22ad36968e7bf1399f8051f53348d225fc2de6e0f9a25204adabe3fe91db5825
                                                                                            • Instruction ID: dc19701fd48b65ce8188c82ac6f77a489461b0d04733eade86f10d0638a28ac1
                                                                                            • Opcode Fuzzy Hash: 22ad36968e7bf1399f8051f53348d225fc2de6e0f9a25204adabe3fe91db5825
                                                                                            • Instruction Fuzzy Hash: 63F0A032680205ABD7321A38AC89F6B3AB1EB81738F654FA4F3B6F20D0D73054C19B14
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(02B0DC19,?,00000104), ref: 02B0DB7F
                                                                                            • lstrcpyA.KERNEL32(?,02B128F8), ref: 02B0DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02B0DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: a0ef7d1c6c26f7ee377a6f5c623e5caca6ba0eab785f33530318c73ca70adada
                                                                                            • Instruction ID: b22e02af366f8c60674c06c557a0785ad58d13129d0dda1b4d7e0277ea9be0ee
                                                                                            • Opcode Fuzzy Hash: a0ef7d1c6c26f7ee377a6f5c623e5caca6ba0eab785f33530318c73ca70adada
                                                                                            • Instruction Fuzzy Hash: C5F09A7054020EABEF21AFA4DC89FE93B69AB10348F6049A4BB91A50D0D7F2D595CB20
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B0EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B0EC72
                                                                                            • GetTickCount.KERNEL32 ref: 02B0EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: c93c3e3fe11df513a7a79e4483f5bc90232ef14fe3699bb5a0de9e39c94f8dc6
                                                                                            • Instruction ID: 3ae9cbb010087e4b1da725be984331aaca6211050c088606aeef368f891b24f4
                                                                                            • Opcode Fuzzy Hash: c93c3e3fe11df513a7a79e4483f5bc90232ef14fe3699bb5a0de9e39c94f8dc6
                                                                                            • Instruction Fuzzy Hash: B0E09AF5C50108BFEB01EBB0EC4EE6B77BCEB08354F900A51B911D6080EA749A548B60
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 02B030D8
                                                                                            • gethostbyname.WS2_32(?), ref: 02B030E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: 9caf14a1da2a8c407d3713715c543c096928dda712543bb918e9fae9d2835010
                                                                                            • Instruction ID: 8d173e8f3dc260a8ac5bf3371f7741e4647e4340688e48b546d6a6909116f1db
                                                                                            • Opcode Fuzzy Hash: 9caf14a1da2a8c407d3713715c543c096928dda712543bb918e9fae9d2835010
                                                                                            • Instruction Fuzzy Hash: 6AE0E571D4111D9BCB10ABA8EC89F9A7BECFB05248F184961F945E7294EA74E5048790
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,02B0DB55,7FFF0001), ref: 02B0EC13
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,02B0DB55,7FFF0001), ref: 02B0EC1A
                                                                                              • Part of subcall function 02B0EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B0EBFE,7FFF0001,?,02B0DB55,7FFF0001), ref: 02B0EBD3
                                                                                              • Part of subcall function 02B0EBCC: RtlAllocateHeap.NTDLL(00000000,?,02B0DB55,7FFF0001), ref: 02B0EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1357844191-0
                                                                                            • Opcode ID: a8a2c4adce120dfd9c96eb88e4bc5231a4e3928cb65f4c49a99c26d6da9bb447
                                                                                            • Instruction ID: 34f9ccb4a9d48adeacdf96cb8454318948a34e60564ee5fbec0ca3be037671cc
                                                                                            • Opcode Fuzzy Hash: a8a2c4adce120dfd9c96eb88e4bc5231a4e3928cb65f4c49a99c26d6da9bb447
                                                                                            • Instruction Fuzzy Hash: D2E012325442187ADF023A94E888B997FAADB047A1F548855F90D490A0CB36D5E0DA94
                                                                                            APIs
                                                                                              • Part of subcall function 02B0EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02B0EC0A,00000000,80000001,?,02B0DB55,7FFF0001), ref: 02B0EBAD
                                                                                              • Part of subcall function 02B0EBA0: HeapSize.KERNEL32(00000000,?,02B0DB55,7FFF0001), ref: 02B0EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,02B0EA27,00000000,02B0EA27,00000000), ref: 02B0EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 02B0EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID:
                                                                                            • API String ID: 1305341483-0
                                                                                            • Opcode ID: 245631000ac32246887cfd779c6cdf53de97c236c66bc34ec3e59e9294581b59
                                                                                            • Instruction ID: fff9b45db19edb4db4b02b8b420411ad8906716403dddf8509d7e8826e88864e
                                                                                            • Opcode Fuzzy Hash: 245631000ac32246887cfd779c6cdf53de97c236c66bc34ec3e59e9294581b59
                                                                                            • Instruction Fuzzy Hash: CBC012328462306BC6523650B84CF9B7F68EF45A51F490C89F80567080C76498D046E1
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B0EBFE,7FFF0001,?,02B0DB55,7FFF0001), ref: 02B0EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,02B0DB55,7FFF0001), ref: 02B0EBDA
                                                                                              • Part of subcall function 02B0EB74: GetProcessHeap.KERNEL32(00000000,00000000,02B0EC28,00000000,?,02B0DB55,7FFF0001), ref: 02B0EB81
                                                                                              • Part of subcall function 02B0EB74: HeapSize.KERNEL32(00000000,?,02B0DB55,7FFF0001), ref: 02B0EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: d23585728e32c19ca630c081c8ff11f827e96b6233cd6845ca1c4e44ee141144
                                                                                            • Instruction ID: b132a69c422c58a5f965ae9887994f8870babdf13e2b72d04184ef2e683dc368
                                                                                            • Opcode Fuzzy Hash: d23585728e32c19ca630c081c8ff11f827e96b6233cd6845ca1c4e44ee141144
                                                                                            • Instruction Fuzzy Hash: C7C0803254422067C70137A47C0CF9A3EA4DF047D2F044C44F905C3150CB3448E08791
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,02B0CA44), ref: 02B0F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: bd28b8d66762ac0dbc41191661b1a00ec608ec2228d2379c574f3d00d1538ba8
                                                                                            • Instruction ID: 51e435ac5fd985a7712e6968570a29d7d4755d14d5a16f789eea86f3c809e80a
                                                                                            • Opcode Fuzzy Hash: bd28b8d66762ac0dbc41191661b1a00ec608ec2228d2379c574f3d00d1538ba8
                                                                                            • Instruction Fuzzy Hash: DFF01272301559AB9F129E59DCC4CBF3FAEFB892507484561FE14D7110DA31D8618BA0
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 02B01992
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: 5ae295eb9f2303e0c4582d247ca5e75fabaed71d05f6ecd4741871fc0144e388
                                                                                            • Instruction ID: 1118d55c441f28c16e271e53467dccfd831d7cab7e9475d2e101d28b17b66430
                                                                                            • Opcode Fuzzy Hash: 5ae295eb9f2303e0c4582d247ca5e75fabaed71d05f6ecd4741871fc0144e388
                                                                                            • Instruction Fuzzy Hash: C9D022226482312A4216371CB80047FAFCCDF052A2740881AFC88C1080CB30C88287D1
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B0DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: aa82dcade001bb5e25e9d98cbdeb3bc623703048230793fac3e35ac9d44ceea7
                                                                                            • Instruction ID: 3c328073352bbaf6a36347395fba11a424096a5734ef91a6ad3ff7d8fdf50405
                                                                                            • Opcode Fuzzy Hash: aa82dcade001bb5e25e9d98cbdeb3bc623703048230793fac3e35ac9d44ceea7
                                                                                            • Instruction Fuzzy Hash: 1AF08231200213CBCB22CEA498C4656BBE4EF46269F554FBEE555D31C0DB30D855CB11
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02B09816,EntryPoint), ref: 02B0638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02B09816,EntryPoint), ref: 02B063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02B063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02B063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: fbb16b1233dfecc4da502b25b38ff5f603f06f545abe561dccdd0a54a3c0e188
                                                                                            • Instruction ID: d849d399acc419477be52273f917f0f6d4896990d1797a1f362db65a0ac81c73
                                                                                            • Opcode Fuzzy Hash: fbb16b1233dfecc4da502b25b38ff5f603f06f545abe561dccdd0a54a3c0e188
                                                                                            • Instruction Fuzzy Hash: 9111A771A40219BFDB115F69DC49F9B3FACEB047A4F004464FD04D7280D770DC608AA0
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02B01839,02B09646), ref: 02B01012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02B010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02B010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02B01101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02B01121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02B01140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02B01160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02B01180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02B0119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02B011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02B011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02B011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02B0121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 974d95038bf2cbeec7fa02f257c3eadb9b646d38ef13708d2fa1fb33ea759757
                                                                                            • Instruction ID: 34caf3261b0a0b409eba0f09d9c29e03db9be173d0d1ec5c4c25a1affc65b648
                                                                                            • Opcode Fuzzy Hash: 974d95038bf2cbeec7fa02f257c3eadb9b646d38ef13708d2fa1fb33ea759757
                                                                                            • Instruction Fuzzy Hash: 3351D5719A2601D6E7168A6CACC0B513EE5E3483F4F8447D6AA2AE71E4F7B0C0D1CF61
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02B0B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02B0B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B0B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B0B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B0B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 02B0B329
                                                                                            • wsprintfA.USER32 ref: 02B0B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 8bb851f6d047bc2a42e0b973df2a1e07b3c896908ff6f939755e91d58f34deab
                                                                                            • Instruction ID: 4bbad13b045afb2f9382274899310367ca2229e6dcdcf92abe73efd5251a286e
                                                                                            • Opcode Fuzzy Hash: 8bb851f6d047bc2a42e0b973df2a1e07b3c896908ff6f939755e91d58f34deab
                                                                                            • Instruction Fuzzy Hash: 4E51ECB2E0021DAACF15EFD5D9849EFBBB9EF48304F508899F901A6150D7344AD9CF50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: cd27ce56acf9f814e2c2c005454bcd698a6e9a82ab5c81ada2e0183270260551
                                                                                            • Instruction ID: c8b033e93209a7447f4e40c11a9353f865ae0bc01f0793504b9582c82753f92d
                                                                                            • Opcode Fuzzy Hash: cd27ce56acf9f814e2c2c005454bcd698a6e9a82ab5c81ada2e0183270260551
                                                                                            • Instruction Fuzzy Hash: 39614E72940208EFEB61AFB4DC85FEA7BE9FB08300F1488A9F959D3161DB7195908F50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-4264063882
                                                                                            • Opcode ID: c228aa8811e1892a360b019580bf358f802b29876788a5be066c1ef949e7a1d6
                                                                                            • Instruction ID: 89c5ecf42e7334075fb4e831d02077e5de7069c48b42276967bccde899c87006
                                                                                            • Opcode Fuzzy Hash: c228aa8811e1892a360b019580bf358f802b29876788a5be066c1ef949e7a1d6
                                                                                            • Instruction Fuzzy Hash: 0FA10972944305ABEF239A54DCC5FAE3F6AEB00348F144CE6FB06670D0DB61A994CB55
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02B0139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02B01571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: ca739b8172906c37da6cf4723baa90f806505b7828ea9ccf73a12d126cc67f41
                                                                                            • Instruction ID: 93d93f674382f510328b9cdbfff8205aa93f260ee849fee510a592a15f23c9a9
                                                                                            • Opcode Fuzzy Hash: ca739b8172906c37da6cf4723baa90f806505b7828ea9ccf73a12d126cc67f41
                                                                                            • Instruction Fuzzy Hash: 70F1BCB15083419FD325DF68C8C8B6ABBE5FB88344F404D9DFA8A9B290D774E944CB52
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 02B02A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 02B02A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02B02AA0
                                                                                            • htons.WS2_32(00000000), ref: 02B02ADB
                                                                                            • select.WS2_32 ref: 02B02B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02B02B4A
                                                                                            • htons.WS2_32(?), ref: 02B02B71
                                                                                            • htons.WS2_32(?), ref: 02B02B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02B02BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 382233a3c9be12f33385a2ac237fdcbc20b4bc2029bb64a6c4f384ffe53d1fed
                                                                                            • Instruction ID: 51afa2a646bacd89a6c43a0148c3d832aec41c5ac3372d398f059cf93ab83357
                                                                                            • Opcode Fuzzy Hash: 382233a3c9be12f33385a2ac237fdcbc20b4bc2029bb64a6c4f384ffe53d1fed
                                                                                            • Instruction Fuzzy Hash: A961C4719043059BD722AF65DC8CB6BBFE8FB48785F014C89FD8597180DBB4D8988BA1
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 02B070C2
                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 02B0719E
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 02B071B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02B07208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02B07291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02B072C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02B072D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02B07314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B0738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02B073D8
                                                                                              • Part of subcall function 02B0F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B122F8,000000C8,02B07150,?), ref: 02B0F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 7ead798c9b2a8488f822a5e4b8106e89a0c3c1be8cc880db45327f14443cd1ff
                                                                                            • Instruction ID: 5ddeb9645020f6aa6d451a655d9643bd92ef1f54896caf8297040191056688dc
                                                                                            • Opcode Fuzzy Hash: 7ead798c9b2a8488f822a5e4b8106e89a0c3c1be8cc880db45327f14443cd1ff
                                                                                            • Instruction Fuzzy Hash: BCB17471944209AEEB169FA4DC85BDEFBB9EF04304F1009E5F501E60D0EF71AA94DB64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02B0AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B0ADA6
                                                                                              • Part of subcall function 02B0AD08: gethostname.WS2_32(?,00000080), ref: 02B0AD1C
                                                                                              • Part of subcall function 02B0AD08: lstrlenA.KERNEL32(?), ref: 02B0AD60
                                                                                              • Part of subcall function 02B0AD08: lstrlenA.KERNEL32(?), ref: 02B0AD69
                                                                                              • Part of subcall function 02B0AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02B0AD7F
                                                                                              • Part of subcall function 02B030B5: gethostname.WS2_32(?,00000080), ref: 02B030D8
                                                                                              • Part of subcall function 02B030B5: gethostbyname.WS2_32(?), ref: 02B030E2
                                                                                            • wsprintfA.USER32 ref: 02B0AEA5
                                                                                              • Part of subcall function 02B0A7A3: inet_ntoa.WS2_32(00000000), ref: 02B0A7A9
                                                                                            • wsprintfA.USER32 ref: 02B0AE4F
                                                                                            • wsprintfA.USER32 ref: 02B0AE5E
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B0EF92
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(?), ref: 02B0EF99
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(00000000), ref: 02B0EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 9e8a611c746a637c18af1721fa96b25beb496ca42eabff1711e5248c33c11dbb
                                                                                            • Instruction ID: ad1749c1580927948f40ada1bc02bf2c791c5a4b346bb6a379ba99fcbe8ade9b
                                                                                            • Opcode Fuzzy Hash: 9e8a611c746a637c18af1721fa96b25beb496ca42eabff1711e5248c33c11dbb
                                                                                            • Instruction Fuzzy Hash: FD4101B290030CABEF26EFA0DC85EEF7BADFB08304F144896BA1592191EA75D5548F50
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02B02E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02E4F
                                                                                            • htons.WS2_32(00000035), ref: 02B02E88
                                                                                            • inet_addr.WS2_32(?), ref: 02B02E93
                                                                                            • gethostbyname.WS2_32(?), ref: 02B02EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,02B02F0F,?,02B020FF,02B12000), ref: 02B02EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: 7dbca931c3207554e42d3c2c91da9f911a88ac447b9bab6275141d3cac673c2e
                                                                                            • Instruction ID: 3c4f4d5be30574cced53473aaf831c889e8dfadbf2ce4a7887d450f7871afc0a
                                                                                            • Opcode Fuzzy Hash: 7dbca931c3207554e42d3c2c91da9f911a88ac447b9bab6275141d3cac673c2e
                                                                                            • Instruction Fuzzy Hash: 8C31C431D8020AABDB12ABB8988CB6F7F78EF04764F140995FD18E72D0DB34D5958B50
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,02B09DD7,?,00000022,?,?,00000000,00000001), ref: 02B09340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02B09DD7,?,00000022,?,?,00000000,00000001), ref: 02B0936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,02B09DD7,?,00000022,?,?,00000000,00000001), ref: 02B09375
                                                                                            • wsprintfA.USER32 ref: 02B093CE
                                                                                            • wsprintfA.USER32 ref: 02B0940C
                                                                                            • wsprintfA.USER32 ref: 02B0948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02B094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B09526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B09571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: 10c1a945bd9d9841a970709bbf4e08c91c85d7753d09e00848f4d5076303f27c
                                                                                            • Instruction ID: 44cfddbba6b6aea094490f370fcb6c8fe2c1a8187972cde749f6a9b34a0b5417
                                                                                            • Opcode Fuzzy Hash: 10c1a945bd9d9841a970709bbf4e08c91c85d7753d09e00848f4d5076303f27c
                                                                                            • Instruction Fuzzy Hash: E5A19FB1940648AFEB26DFA0CC85FDE3BACEB04B44F1004A6FE0592192D771D594CFA0
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 02B0B467
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B0EF92
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(?), ref: 02B0EF99
                                                                                              • Part of subcall function 02B0EF7C: lstrlenA.KERNEL32(00000000), ref: 02B0EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: e05b4bee913b1b8580d7ae01a3cdfcfdb21250efea7c41dadfad3e7d2b589c97
                                                                                            • Instruction ID: d1f52f95dad595d2fa1c53a40053eebb0e7b4300c309493b75304bdcc50069c0
                                                                                            • Opcode Fuzzy Hash: e05b4bee913b1b8580d7ae01a3cdfcfdb21250efea7c41dadfad3e7d2b589c97
                                                                                            • Instruction Fuzzy Hash: 7B415EB254011C7EEF02BAA4CCC1DBFBF6DEF49648F144855FA05B2050DB31EA648BA1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B02078
                                                                                            • GetTickCount.KERNEL32 ref: 02B020D4
                                                                                            • GetTickCount.KERNEL32 ref: 02B020DB
                                                                                            • GetTickCount.KERNEL32 ref: 02B0212B
                                                                                            • GetTickCount.KERNEL32 ref: 02B02132
                                                                                            • GetTickCount.KERNEL32 ref: 02B02142
                                                                                              • Part of subcall function 02B0F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B0E342,00000000,75A8EA50,80000001,00000000,02B0E513,?,00000000,00000000,?,000000E4), ref: 02B0F089
                                                                                              • Part of subcall function 02B0F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B0E342,00000000,75A8EA50,80000001,00000000,02B0E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B0F093
                                                                                              • Part of subcall function 02B0E854: lstrcpyA.KERNEL32(00000001,?,?,02B0D8DF,00000001,localcfg,except_info,00100000,02B10264), ref: 02B0E88B
                                                                                              • Part of subcall function 02B0E854: lstrlenA.KERNEL32(00000001,?,02B0D8DF,00000001,localcfg,except_info,00100000,02B10264), ref: 02B0E899
                                                                                              • Part of subcall function 02B01C5F: wsprintfA.USER32 ref: 02B01CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: 12a4347d0695e97d48155bd142620db29f402e6a2c2f420524f0a922038164c3
                                                                                            • Instruction ID: a3df55e340aec5cf1384ee737846bd89b854c393ad2027902df2c81f006ccc87
                                                                                            • Opcode Fuzzy Hash: 12a4347d0695e97d48155bd142620db29f402e6a2c2f420524f0a922038164c3
                                                                                            • Instruction Fuzzy Hash: 7B5103B0E443065EE32EEF24ED89B2A3FD5EB00344F800899EE45C71D0EBB49498CA50
                                                                                            APIs
                                                                                              • Part of subcall function 02B0A4C7: GetTickCount.KERNEL32 ref: 02B0A4D1
                                                                                              • Part of subcall function 02B0A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02B0A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 02B0C31F
                                                                                            • GetTickCount.KERNEL32 ref: 02B0C32B
                                                                                            • GetTickCount.KERNEL32 ref: 02B0C363
                                                                                            • GetTickCount.KERNEL32 ref: 02B0C378
                                                                                            • GetTickCount.KERNEL32 ref: 02B0C44D
                                                                                            • InterlockedIncrement.KERNEL32(02B0C4E4), ref: 02B0C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,02B0B535,00000000,?,02B0C4E0), ref: 02B0C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,02B0C4E0,02B13588,02B08810), ref: 02B0C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: e25b331be03fd12da4fe5e684b6f056deb57ab7b1a7da8d21713e8842a8cd2d1
                                                                                            • Instruction ID: b42478c66e8d30ac2494cbfd571384fea63ac91dde5172b924c20cae0db0b230
                                                                                            • Opcode Fuzzy Hash: e25b331be03fd12da4fe5e684b6f056deb57ab7b1a7da8d21713e8842a8cd2d1
                                                                                            • Instruction Fuzzy Hash: AC5168B1A00B418FD7259F69C5C462ABFE9FB48304B509E7EE58BC7A90E774E844CB14
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B0BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B0BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B0BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B0BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B0BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B0BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 7899842464bf6e6e51c96246d4f9dd4318934471a89e2af0b80100b62175f7b3
                                                                                            • Instruction ID: a21dc538871aa8d412e2834caafe7bc7a630b35ec77cee9b3ae06371129c4320
                                                                                            • Opcode Fuzzy Hash: 7899842464bf6e6e51c96246d4f9dd4318934471a89e2af0b80100b62175f7b3
                                                                                            • Instruction Fuzzy Hash: 3D516071A0461AEFDB129B64C9C0B5EBFA9EF0438CF4448D9ED45AB295D730E941CF90
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(02B09E9D,02B09A60,?,?,?,02B122F8,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02B09A60,?,?,02B09E9D), ref: 02B06B80
                                                                                            • GetLastError.KERNEL32(?,?,?,02B09A60,?,?,02B09E9D,?,?,?,?,?,02B09E9D,?,00000022,?), ref: 02B06B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 04a0bc918cd764fef029baa293de683a3cbf29bd8ca8e09a7b63d2b80dfb8bb0
                                                                                            • Instruction ID: dfe3f41208052e287fdd70ee1fb93e44c54052bb34510b79d48e15abf234a94d
                                                                                            • Opcode Fuzzy Hash: 04a0bc918cd764fef029baa293de683a3cbf29bd8ca8e09a7b63d2b80dfb8bb0
                                                                                            • Instruction Fuzzy Hash: 2931F2B2D0014DAFDB02EFA08885ADE7F7DEF48350F5448A6EA11A7280D73096A4CF61
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,02B0D7C3), ref: 02B06F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02B0D7C3), ref: 02B06FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02B06FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 02B0701F
                                                                                            • wsprintfA.USER32 ref: 02B07036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: 5b43641da2fad58b1157dcdba90fb7d9dc076ad59e315d619313f3854e5f4503
                                                                                            • Instruction ID: ebe5767d0f51f97752f2da9f9cef51256ac50ccd4a105f589990d3154f6a4bb6
                                                                                            • Opcode Fuzzy Hash: 5b43641da2fad58b1157dcdba90fb7d9dc076ad59e315d619313f3854e5f4503
                                                                                            • Instruction Fuzzy Hash: 9A31FC72900219AFDB02DFA4D888EDA7FBCEF04354F1485A6F859DB140EB35E654CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02B122F8,000000E4,02B06DDC,000000C8), ref: 02B06CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B06CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02B06D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02B06D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 7747dc356d747b145e50336a4454f819766ec551c05b26485c52e361bf044514
                                                                                            • Instruction ID: 0b839931dc6eb6c26b2bbf478319e85334c7329120d4b08b2407d761c8670446
                                                                                            • Opcode Fuzzy Hash: 7747dc356d747b145e50336a4454f819766ec551c05b26485c52e361bf044514
                                                                                            • Instruction Fuzzy Hash: 5C21F352B812647AF72766225CC8F6B3F4DCB42794F4909C4FC04AB0D1CB9585A582B9
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,02B09947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02B122F8), ref: 02B097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02B122F8), ref: 02B097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02B122F8), ref: 02B097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02B122F8), ref: 02B09831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02B122F8), ref: 02B0984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02B122F8), ref: 02B0985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: f7e22d1d36eac21c121da4253ad7f5ab150979d6882ba8bdf8a0955722e37883
                                                                                            • Instruction ID: d3c4d85476cc033723363603a04572ee7d8c04b565a6be425bfd094fe077152f
                                                                                            • Opcode Fuzzy Hash: f7e22d1d36eac21c121da4253ad7f5ab150979d6882ba8bdf8a0955722e37883
                                                                                            • Instruction Fuzzy Hash: 9A213271D41119BBDB129FA1DC89FEF7F7CEF05694F400860F919E2190E7709694CAA0
                                                                                            APIs
                                                                                              • Part of subcall function 02B0DD05: GetTickCount.KERNEL32 ref: 02B0DD0F
                                                                                              • Part of subcall function 02B0DD05: InterlockedExchange.KERNEL32(02B136B4,00000001), ref: 02B0DD44
                                                                                              • Part of subcall function 02B0DD05: GetCurrentThreadId.KERNEL32 ref: 02B0DD53
                                                                                              • Part of subcall function 02B0DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B0DDB5
                                                                                            • lstrcpynA.KERNEL32(?,02B01E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02B0EAAA,?,?), ref: 02B0E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02B0EAAA,?,?,00000001,?,02B01E84,?), ref: 02B0E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02B0EAAA,?,?,00000001,?,02B01E84,?,0000000A), ref: 02B0E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02B0EAAA,?,?,00000001,?,02B01E84,?), ref: 02B0E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 0302e25f2f6bf8794cfc09111f5a6a841e95d541e32eee9984c9c3db80dd9b8b
                                                                                            • Instruction ID: 5d2ecce4e00651586a4f3e39ad2c9765e5349b134abedd904cc66af4466b9e06
                                                                                            • Opcode Fuzzy Hash: 0302e25f2f6bf8794cfc09111f5a6a841e95d541e32eee9984c9c3db80dd9b8b
                                                                                            • Instruction Fuzzy Hash: 66512F72D0020AAFCB11EFE8C9C49AEBBF9FF48304F14496AE515A7250D775EA548F50
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 9846d0ab4da744caab10895751ab1c12cc625ff8103e74a6628947f4ded8e361
                                                                                            • Instruction ID: b026fb2577a25ee237c8b857099552283b73650622c023b4be2fcf2813a071d7
                                                                                            • Opcode Fuzzy Hash: 9846d0ab4da744caab10895751ab1c12cc625ff8103e74a6628947f4ded8e361
                                                                                            • Instruction Fuzzy Hash: 61215E72904119FFDB226B60ED89E9F7FACDB043A4B104995F502E2080EB31DA60D664
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,02B122F8), ref: 02B0907B
                                                                                            • wsprintfA.USER32 ref: 02B090E9
                                                                                            • CreateFileA.KERNEL32(02B122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B0910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B09122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B0912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B09134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: adcc216bad6b9de9dc0a224b1f631b641f4b69e9eaec218018b1780aec5d3863
                                                                                            • Instruction ID: 4850d60027e6647898f4946c2a5c67564dd54d267cefb161991aaa50a490c649
                                                                                            • Opcode Fuzzy Hash: adcc216bad6b9de9dc0a224b1f631b641f4b69e9eaec218018b1780aec5d3863
                                                                                            • Instruction Fuzzy Hash: 2B119DB2A401147BF7267631DC4DFAF3A6EDBC4B04F0488E5BF06E6090DA708E518B64
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B0DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02B0DD20
                                                                                            • GetTickCount.KERNEL32 ref: 02B0DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,02B0E538,?,74DF0F10,?,00000000,?,02B0A445), ref: 02B0DD3B
                                                                                            • InterlockedExchange.KERNEL32(02B136B4,00000001), ref: 02B0DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02B0DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 7000611c01d5037c33d8d4e55616e23ebf84a8d7a382e27e9e48fb6bfe5b9590
                                                                                            • Instruction ID: f8096660cb0d3bc176addff212f611ecb4b437175e51c0dace17f4943e461a52
                                                                                            • Opcode Fuzzy Hash: 7000611c01d5037c33d8d4e55616e23ebf84a8d7a382e27e9e48fb6bfe5b9590
                                                                                            • Instruction Fuzzy Hash: E3F0E972A88209DFC7416BE5A8C8B353FE5E7453D1F800D95E909C31C8D72450A5CF21
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 02B0AD1C
                                                                                            • lstrlenA.KERNEL32(?), ref: 02B0AD60
                                                                                            • lstrlenA.KERNEL32(?), ref: 02B0AD69
                                                                                            • lstrcpyA.KERNEL32(?,LocalHost), ref: 02B0AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 1eb07a646494569e12750b3ba85adb768f8b31b326f7c07e7cea00530c231135
                                                                                            • Instruction ID: bfeac5bd758d9658a91d9a6edddec00188cb865920391ae7271d61bf0b067145
                                                                                            • Opcode Fuzzy Hash: 1eb07a646494569e12750b3ba85adb768f8b31b326f7c07e7cea00530c231135
                                                                                            • Instruction Fuzzy Hash: 8D01492088438D5EDF33163894C4BB93F6AEB8674AF404ED6E6C08B195EF2490838751
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02B098FD,00000001,00000100,02B122F8,02B0A3C7), ref: 02B04290
                                                                                            • CloseHandle.KERNEL32(02B0A3C7), ref: 02B043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 02B043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: e129f0f74d021e88b138f9cca8e603083f8d59640806a2b1cb4552ac66d3d052
                                                                                            • Instruction ID: e42f7a1af33c6d340f1fe296a23e30a2f5a4df272e02bea257c90e6b41bcfe7f
                                                                                            • Opcode Fuzzy Hash: e129f0f74d021e88b138f9cca8e603083f8d59640806a2b1cb4552ac66d3d052
                                                                                            • Instruction Fuzzy Hash: 50418D71D00209BBDB12ABA1DDC9FAFBFB9EF40364F1045A5F614A21C0DB349650CBA0
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02B064CF,00000000), ref: 02B0609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,02B064CF,00000000), ref: 02B060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 02B0614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02B0619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 9530bfee249132ba25285338626b2767509f9e2ab6f408bcdb710c15cdc9f8e9
                                                                                            • Instruction ID: 951f30fdda8403872f796dba3064e3ebf4e4982bad3c986f6dce264eab3733ab
                                                                                            • Opcode Fuzzy Hash: 9530bfee249132ba25285338626b2767509f9e2ab6f408bcdb710c15cdc9f8e9
                                                                                            • Instruction Fuzzy Hash: 68415C71E00106AFDB15CF54C8C4B69BBB9EF04358F1494A9E815D72D1E730EEA0CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 653db33c9b1f363bfff7100facd5c21dcff2933f4a555a10769b75055346c3d4
                                                                                            • Instruction ID: e74130b74990f6829b89b67e12349a59d710b95f0a0c4844c1531c3798cf7c0a
                                                                                            • Opcode Fuzzy Hash: 653db33c9b1f363bfff7100facd5c21dcff2933f4a555a10769b75055346c3d4
                                                                                            • Instruction Fuzzy Hash: 4B31B171900318ABDB129FA5CCC5BBEBBF4EF48705F104896E914E7280E774D6958B64
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B0272E
                                                                                            • htons.WS2_32(00000001), ref: 02B02752
                                                                                            • htons.WS2_32(0000000F), ref: 02B027D5
                                                                                            • htons.WS2_32(00000001), ref: 02B027E3
                                                                                            • sendto.WS2_32(?,02B12BF8,00000009,00000000,00000010,00000010), ref: 02B02802
                                                                                              • Part of subcall function 02B0EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B0EBFE,7FFF0001,?,02B0DB55,7FFF0001), ref: 02B0EBD3
                                                                                              • Part of subcall function 02B0EBCC: RtlAllocateHeap.NTDLL(00000000,?,02B0DB55,7FFF0001), ref: 02B0EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 3d585302d924dc9511924c3d16620aca749673c0c492fc0fb573703a925dfad5
                                                                                            • Instruction ID: 4e8232ebd73bfda4d14d25f71814c177b8e6cbb8a6eab3cc7a1397e4beb818a2
                                                                                            • Opcode Fuzzy Hash: 3d585302d924dc9511924c3d16620aca749673c0c492fc0fb573703a925dfad5
                                                                                            • Instruction Fuzzy Hash: EA316D346803A69FD711DF74D8C0A627B60EF19358B5948EDEC59CB352D732E896CB10
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02B122F8), ref: 02B0915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02B09166
                                                                                            • CharToOemA.USER32(?,?), ref: 02B09174
                                                                                            • wsprintfA.USER32 ref: 02B091A9
                                                                                              • Part of subcall function 02B09064: GetTempPathA.KERNEL32(00000400,?,00000000,02B122F8), ref: 02B0907B
                                                                                              • Part of subcall function 02B09064: wsprintfA.USER32 ref: 02B090E9
                                                                                              • Part of subcall function 02B09064: CreateFileA.KERNEL32(02B122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B0910E
                                                                                              • Part of subcall function 02B09064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B09122
                                                                                              • Part of subcall function 02B09064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B0912D
                                                                                              • Part of subcall function 02B09064: CloseHandle.KERNEL32(00000000), ref: 02B09134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02B091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: b0bea6007a6dd4018e89b98eecf6cb7b9ea295fa1317eb800fe138130a19b058
                                                                                            • Instruction ID: 8ca95d2e2bbf09220eea2579cac67be44b53a2d924724461caf5ca35d00a6878
                                                                                            • Opcode Fuzzy Hash: b0bea6007a6dd4018e89b98eecf6cb7b9ea295fa1317eb800fe138130a19b058
                                                                                            • Instruction Fuzzy Hash: 350140F6940118BBDB21A6619D8DFDF7B7CDB95B01F4008A1BF49E2080EA7496D58F70
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02B02491,?,?,?,02B0E844,-00000030,?,?,?,00000001), ref: 02B02429
                                                                                            • lstrlenA.KERNEL32(?,?,02B02491,?,?,?,02B0E844,-00000030,?,?,?,00000001,02B01E3D,00000001,localcfg,lid_file_upd), ref: 02B0243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 02B02452
                                                                                            • lstrlenA.KERNEL32(?,?,02B02491,?,?,?,02B0E844,-00000030,?,?,?,00000001,02B01E3D,00000001,localcfg,lid_file_upd), ref: 02B02467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 132e8dcdce9ee1073e43f4222d1c6b57876009f65be6edeb1a13f9da5250ea39
                                                                                            • Instruction ID: 4aafc06a62c5f11cd4f22ff6be9838e52bb9308c296e25f89b45b974ee94a75d
                                                                                            • Opcode Fuzzy Hash: 132e8dcdce9ee1073e43f4222d1c6b57876009f65be6edeb1a13f9da5250ea39
                                                                                            • Instruction Fuzzy Hash: 8301DA31A00218EFCF12EF69DC889DE7BA9EF44398B45C465ED5997201E330EA549B90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 8661a41982932317baad65a88fa226a2f9012ee1d5ed83eb167914c53a039597
                                                                                            • Instruction ID: 222196cdbaa15854fc5c08d0193323647c56b664f4cadc57b969d1d7c245991e
                                                                                            • Opcode Fuzzy Hash: 8661a41982932317baad65a88fa226a2f9012ee1d5ed83eb167914c53a039597
                                                                                            • Instruction Fuzzy Hash: 03418C729042999FDB26DFB88884BEE7FE99F49310F240596FD64D3191D634D604CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 02B0DD05: GetTickCount.KERNEL32 ref: 02B0DD0F
                                                                                              • Part of subcall function 02B0DD05: InterlockedExchange.KERNEL32(02B136B4,00000001), ref: 02B0DD44
                                                                                              • Part of subcall function 02B0DD05: GetCurrentThreadId.KERNEL32 ref: 02B0DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,02B05EC1), ref: 02B0E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,02B05EC1), ref: 02B0E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,02B05EC1), ref: 02B0E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: 7b94dcdc8905330a21245020401b001c157807ef52706ec8abdaf946a2d235dc
                                                                                            • Instruction ID: 652d95be141e41b9153c48c606e031791df325600e2168602ded46a23a0dfb12
                                                                                            • Opcode Fuzzy Hash: 7b94dcdc8905330a21245020401b001c157807ef52706ec8abdaf946a2d235dc
                                                                                            • Instruction Fuzzy Hash: DA31AF31A00715DBCB328EA4E8C87667FE4EB01354F104DAAE955875C1D770E880CB91
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,02B0E2A3,00000000,00000000,00000000,00020106,00000000,02B0E2A3,00000000,000000E4), ref: 02B0E0B2
                                                                                            • RegSetValueExA.ADVAPI32(02B0E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02B122F8), ref: 02B0E127
                                                                                            • RegDeleteValueA.ADVAPI32(02B0E2A3,?,?,?,?,?,000000C8,02B122F8), ref: 02B0E158
                                                                                            • RegCloseKey.ADVAPI32(02B0E2A3,?,?,?,?,000000C8,02B122F8,?,?,?,?,?,?,?,?,02B0E2A3), ref: 02B0E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 0dd646b47ca22f2a735a65c1d1f072f93833f4d3dc1a9a0d70ad5466c9e59b73
                                                                                            • Instruction ID: 7be6d495fde2eed68ea4b85e02c3f9a8fad74e903ce0309d861a1b53ce1592db
                                                                                            • Opcode Fuzzy Hash: 0dd646b47ca22f2a735a65c1d1f072f93833f4d3dc1a9a0d70ad5466c9e59b73
                                                                                            • Instruction Fuzzy Hash: 4D215E71E0021DBBDF219EA4DC89EDE7F79EF09790F0084A1F905A6190E771CA94CB90
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,02B0A3C7,00000000,00000000,000007D0,00000001), ref: 02B03FB8
                                                                                            • GetLastError.KERNEL32 ref: 02B03FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B03FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B03FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 176c5741c0bcdf9301fd09b15ac80bc04184351c2ffc7aabd257079ead9353ca
                                                                                            • Instruction ID: 6f42f57da555b9a138890d3a640ccef9a08bc509e2e6814c1844da07fc46fb53
                                                                                            • Opcode Fuzzy Hash: 176c5741c0bcdf9301fd09b15ac80bc04184351c2ffc7aabd257079ead9353ca
                                                                                            • Instruction Fuzzy Hash: E901977291010AAFDF12DF94D989BEE7BBCEF04355F504491FD06E2090D7719A648BA1
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,02B0A3C7,00000000,00000000,000007D0,00000001), ref: 02B03F44
                                                                                            • GetLastError.KERNEL32 ref: 02B03F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B03F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B03F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: f2d0a9b4b35679f11e0349a9f4f221ea315f55568775e2ec92cbe9503162d02d
                                                                                            • Instruction ID: ffd2522b86a506be5388026cc255b36f874e64034be7c05cd6560939faf31a62
                                                                                            • Opcode Fuzzy Hash: f2d0a9b4b35679f11e0349a9f4f221ea315f55568775e2ec92cbe9503162d02d
                                                                                            • Instruction Fuzzy Hash: BE019772915109ABDB12DF90D988BEE7BBCEB04395F5044A6FA01E2080D7709A658BA1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B04E9E
                                                                                            • GetTickCount.KERNEL32 ref: 02B04EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 02B04EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B04EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ff19d76640d2579f872b6980103f44a5177720f3c91d9c71a7e70edd9709383
                                                                                            • Instruction ID: d3401482bc8851f0cab162b9c2f8b58b4bbbf67ef74d507b7281a315294c3d4e
                                                                                            • Opcode Fuzzy Hash: 1ff19d76640d2579f872b6980103f44a5177720f3c91d9c71a7e70edd9709383
                                                                                            • Instruction Fuzzy Hash: E8E0867664121897D61036B9ACC8F677A599B453E1F410DB1FB09D3180C65694A245B1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B0A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 02B0A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,02B0C2E9,02B0C4E0,00000000,localcfg,?,02B0C4E0,02B13588,02B08810), ref: 02B0A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B0A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 2e783be77090d73b5e7b63c03c36a0de0ae418cdf477d112cff66e84d38343cc
                                                                                            • Instruction ID: 6086af61d02ad5d67c984c4f357c9d536222f322633faf045f2e14acc95c950e
                                                                                            • Opcode Fuzzy Hash: 2e783be77090d73b5e7b63c03c36a0de0ae418cdf477d112cff66e84d38343cc
                                                                                            • Instruction Fuzzy Hash: 9BE0263724030857C60077A5ACC8F6E3B88EB497A1F460CA1FF08E3180C616A59182B2
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B04BDD
                                                                                            • GetTickCount.KERNEL32 ref: 02B04BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,02E1B12C,02B050F2), ref: 02B04BF9
                                                                                            • InterlockedExchange.KERNEL32(02E1B120,00000001), ref: 02B04C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 63a21f61fcbee2904dea08936f2bf9314d856e34321e6e57c9a1d53030025348
                                                                                            • Instruction ID: bb8264e83dbb0a3db9e4287bb0fa9b449e72877811fc561542e793189989c6f5
                                                                                            • Opcode Fuzzy Hash: 63a21f61fcbee2904dea08936f2bf9314d856e34321e6e57c9a1d53030025348
                                                                                            • Instruction Fuzzy Hash: 6AE0CD3768121C57C71036B65DC4F667B6CDB453A1F460CB2FF0DD3180C956D49142B1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B03103
                                                                                            • GetTickCount.KERNEL32 ref: 02B0310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 02B0311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B03128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: a68ed833e27a870a2dc0eaf92138a41b776a3e44e57b151fe04bef4c52102c62
                                                                                            • Instruction ID: 5fbbacdcd0193cbfb3f0ea308c090c55aab4ca1d07769bbccf830d8caa099a62
                                                                                            • Opcode Fuzzy Hash: a68ed833e27a870a2dc0eaf92138a41b776a3e44e57b151fe04bef4c52102c62
                                                                                            • Instruction Fuzzy Hash: 08E0C235640219ABDB007B75ADCDB496E9ADF887A1F010CB1FA05D30D0CAA08CA18A71
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: 5f924798e6f828278a13f0311152a5dc6001beb57840130a377cf6899d3f0fe0
                                                                                            • Instruction ID: 34a08a712e6e1c3aadb9a8f19822b432f2aa0c0327c58929541edc98a8aea101
                                                                                            • Opcode Fuzzy Hash: 5f924798e6f828278a13f0311152a5dc6001beb57840130a377cf6899d3f0fe0
                                                                                            • Instruction Fuzzy Hash: BB21D232A10215AFCB11DFA8E8C465ABFBAFF20254B6547DDD401D7191DB30EA40CB54
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02B0C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 52a706f7470082bc36fedaa96198cea33eb157af41a80171d431441ef5d09730
                                                                                            • Instruction ID: ba2d5eb5767b77db8a1331ad67bc20dfc41d17568358332727916de87123a72e
                                                                                            • Opcode Fuzzy Hash: 52a706f7470082bc36fedaa96198cea33eb157af41a80171d431441ef5d09730
                                                                                            • Instruction Fuzzy Hash: 17119772500100FFDB429AA9CD48E567FA6FF88358B34859CF6188E126D633D863EB50
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02B026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 02B026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: 3d75034b7ae7e54e2213ff29a025ec49b0fce45da27d69ece52ce86f29752707
                                                                                            • Instruction ID: 46b73814edd3407c4707c58841c0c785cf531e0c68558f2bb93cdc5b71e648bd
                                                                                            • Opcode Fuzzy Hash: 3d75034b7ae7e54e2213ff29a025ec49b0fce45da27d69ece52ce86f29752707
                                                                                            • Instruction Fuzzy Hash: 9AF082321482096BEF056EA0EC49AAA3B9CDB09254F104861FD08CA0D0DB71E9508798
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,02B0EB54,_alldiv,02B0F0B7,80000001,00000000,00989680,00000000,?,?,?,02B0E342,00000000,75A8EA50,80000001,00000000), ref: 02B0EAF2
                                                                                            • GetProcAddress.KERNEL32(76E90000,00000000), ref: 02B0EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: c758a702d44abec3d309267a1b5a6518fa5af9c893b534bf357534ce8f7a141f
                                                                                            • Instruction ID: c64209f54ea1f666d5f6cde82579d3fd848c84d51da353a11cb3fcb47618019f
                                                                                            • Opcode Fuzzy Hash: c758a702d44abec3d309267a1b5a6518fa5af9c893b534bf357534ce8f7a141f
                                                                                            • Instruction Fuzzy Hash: 12D0C934E843039B9F125F68999EE057AECEB50781BC04C95B80AE3110E735E5A4DA00
                                                                                            APIs
                                                                                              • Part of subcall function 02B02D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02B02F01,?,02B020FF,02B12000), ref: 02B02D3A
                                                                                              • Part of subcall function 02B02D21: LoadLibraryA.KERNEL32(?), ref: 02B02D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B02F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02B02F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.4190900225.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2b00000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 36b743504096f45ca689a2be707ff0510ce245f3b6f8e32f11630114a784cf73
                                                                                            • Instruction ID: 5f0f5f04366cb45b572b5e869f08326086f7eca7d0b201bcd69d25c60e81b7ac
                                                                                            • Opcode Fuzzy Hash: 36b743504096f45ca689a2be707ff0510ce245f3b6f8e32f11630114a784cf73
                                                                                            • Instruction Fuzzy Hash: 53519E7190020A9FDF06AF64D888AFABBB5FF05344F1045A9EC96D7250E732DA59CB90